- Aug 17, 2017
The world’s biggest repository for open-source Python packages, PyPI, disabled new user registrations, and barred existing users from uploading new projects over the weekend, citing an unmanageable flood of malicious code being uploaded to the platform.
In an announcement posted on the PyPI status page, the organization said: “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.” The team planned to “re-group over the weekend” and soon enough, on Sunday evening (around 10 PM UTC), the suspension was lifted.
Supply chain attacks are all the rage these days, and as a result, open-source repositories have become an attractive target for cybercriminals and hackers. These days, most companies are incorporating open-source software in their products, at least to some extent. By squeezing malicious packages into the repository, threat actors are hoping IT teams will pick it up, compromising not just the product they’re building, but their entire network and infrastructure.