SystemExit: `requests` library you installed has been been hijacked

Question

I am trying to import libraries I have used previously to calculate metrics between text, one being evaluate package. When I import the package it says the requests package has been hijacked

I tried uninstalling python-requests, evaluate, and requests and reinstalling requests and evaluate but nothing changed. Also tried installing python-dotenv. I have python==3.9.13 requests==2.31.0

This is the output

from evaluate import load

bertscore = load("bertscore")
predictions = ["hello there", "general kenobi"]
references = ["hello there", "general kenobi"]

results = bertscore.compute(predictions=predictions, references=references, lang="en")

Well . The `requests` library you installed has been been hijacked 
An exception has occurred, use %tb to see the full traceback.

SystemExit: 

Edit: Screenshot of pip freeze

Answer 1

You have apparently installed python-requests. Uninstall it.

Answer 2

[TL;DR: specific solution at the bottom, OP needs to run step 2]

This happens because an installed package overwrote the original package's namespace (and files). While there may be cases where such behavior is actually desired, this isn't one of them. Packages like this attempt to exploit common typos or use confusing names similar to legitimate packages, so unsuspecting victims would install (and then run) them on their environments. Many packages using such practices are usually malicious, though sometimes this can happen in error, or as a proof-of-concept (which while may be annoying, are relatively innocent).

Generally speaking (not just for the specific package in question), it is hard to predict the extent of exposure, however if this happens I'd suggest assuming that at the very least the python environment is compromised, and in some cases the entire system may be as well. Generally I'd suggest searching for further information about such a package (hoping that you're not the first to encounter it), and follow reputable suggestions. In some extreme cases it may be required to wipe and reinstall the entire OS.

Specific solution for python-requests==0.0.0.2

Seeing as this appears to be a proof-of-concept and does not execute malicious code (other than destroying requests), this can be fixed by first uninstalling python-requests, and since it overwrote the original package, repairing requests is also needed. Assuming you are using pip, follow these steps:

1. First, remove the offending package with pip uninstall -y python-requests
   The -y flag prevents pip from asking for confirmation.
2. Now, repair the original package with pip install --force-reinstall requests
   This will fix the installation, as it will rewrite the overtaken (and now deleted) files from the damaging package.

I would not recommend this for all such packages, only for this one, at this point in time, and for this specific version. There's nothing (at the moment) to stop the maintainer from actually injecting malicious code into newer releases of this package. Seeing as you have already uninstalled the package but are still stuck with a broken requests installation, simply fix the package (as mentioned in step 2), and you should be good to go.