PyPl suspends new projects and user sign-ups following flood of malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

The world’s biggest repository for open-source Python packages, PyPI, disabled new user registrations, and barred existing users from uploading new projects over the weekend, citing an unmanageable flood of malicious code being uploaded to the platform.

In an announcement posted on the PyPI status page, the organization said: “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.”

The team planned to “re-group over the weekend” and soon enough, on Sunday evening (around 10 PM UTC), the suspension was lifted.

Supply chain attacks

Supply chain attacks are all the rage these days, and as a result, open-source repositories have become an attractive target for cybercriminals and hackers. These days, most companies are incorporating open-source software in their products, at least to some extent. By squeezing malicious packages into the repository, threat actors are hoping IT teams will pick it up, compromising not just the product they’re building, but their entire network and infrastructure. 

Most of the time, malicious actors would engage in “typosquatting” - creating malicious packages with names almost identical to already existing, benign packages. That way, they’re hoping that reckless, overworked, or understaffed developers won’t notice the difference and will pick the wrong package for their solution.

To build out credibility and have more people download their malware, threat actors would also generate fake reviews and blow up their download numbers with the help of bots and artificial intelligence.

In recent months, the attacks on Python developers through PyPI have intensified, and we have reported at least six separate incidents that were discovered this year .

Hackers are usually looking to install infostelaers, which help them steal credentials and access valuable company assets. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.