- Jul 27, 2015
In March and April, three subpoenas seeking data on users of PyPI, the Python Package Index, were presented to the Python Software Foundation (PSF).
PyPI is a repository for distributing third-party Python software packages – sets of files that provide Python developers with specific functionality. The subpoenas – legal demands for information – came from the US Department of Justice, said Ee Durbin, director of infrastructure at the PSF, in a blog post on Wednesday. "The PSF was not provided with context on the legal circumstances surrounding these subpoenas," said Durbin. "In total, user data related to five PyPI usernames were requested." The Feds asked for names associated with the identified accounts, addresses (including mailing, email, residential and business), connection records, records of session times and associated network identifiers, account creation dates, telephone numbers and IP address' used during registration, payment information, Python packages uploaded, and IP address download logs of any PyPI packages uploaded by the identified users.
Efforts to slip subverted software into online package registries to facilitate supply chain attacks have increased in recent years and PyPI has seen its share of suspect activity. Last August, the Python-focused service warned for the first time of a phishing attack targeting account holders. Since then there have been numerous PyPI incidents reported by security researchers, such as the WASP malware, a fake SentinelOne SDK, a poisoned PyTorch dependency, and a remote access tool dubbed Colour-Blind.