Almost half of the packages in the official Python (opens in new tab) Package Index (PyPI) repository have at least one security issue, according to analysis by Finnish researchers.
The researchers used static analysis to uncover the security issues in the open source (opens in new tab) packages, which they reason end up tainting software that use them.
In total the research scanned through 197,000 packages and found more than 749,000 security issues in all.
- Protect your devices with these best antivirus software (opens in new tab)
- These are the best ransomware protection tools (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
“With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems,” note the researchers (opens in new tab) in their paper.
Cause for concern
Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository.
The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues.
In terms of the issue types, exception handling and different code injections were found to be the most prevalent.
“Of the 46% of all packages with at least one issue, the median number of issues is three,” note the researchers. Of course it’s not evenly distributed with a few packages riddled with a lot more issues, including five that were found to have more than a thousand issues.
The researchers have reason to be concerned. PyPI has been at the receiving end of several campaigns to poison the repository with malicious packages.
Earlier this year in June, PyPI was purged of half a dozen typosquatting packages (opens in new tab) that contained cryptomining (opens in new tab) malware, and a month before that the repository was flooded with spam packages (opens in new tab).
- Also take a look at the best laptops for programming (opens in new tab)