Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Python Security

Python's PyPi Package Repository Temporarily Halted New Signups, Citing 'Volume of Malicious Projects' (bleepingcomputer.com) 24

Posted by EditorDavid from the projects-management dept.
On Saturday PyPI, the official third-party registry of open source Python packages, "temporarily suspended new users from signing up, and new projects from being uploaded to the platform" reports BleepingComputer.

"The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," stated an incident notice posted by PyPI admins Saturday.

Hours ago they posted a four-word update: "Suspension has been lifted." No details were provided, but The Hacker News writes the incident "comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments." Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.
This discussion has been archived. No new comments can be posted.

Python's PyPi Package Repository Temporarily Halted New Signups, Citing 'Volume of Malicious Projects' More

Python's PyPi Package Repository Temporarily Halted New Signups, Citing 'Volume of Malicious Projects'

Comments Filter:

  • Git Submodules (Score:1, Interesting)

    by darkain ( 749283 )

    I never really got the appeal of these "package managers" that are language specific. Too much proprietary tech constantly trying to re-invent the wheel.

    In all my projects, I just use Git submodules. It is language and OS agnostic. If I need to make changes and fix bugs in any of the modules, I already have an easy way to commit them back upstream. I don't need to worry about malicious code in repositories, because its all decentralized. If someone else clones my repo, they're cleaning exact git commit hash

    • Re: Git Submodules (Score:5, Informative)

      by DI4BL0S ( 1399393 ) on Sunday May 21, 2023 @09:03PM (#63540753)
      You've clearly not worked in projects with many dependencies and each dependency having their own set of dependencies. Git submodules requires you to manage everything of every other submodule by hand. How do you deal with vulnerabilities within specific versions? What about conflicts between 2 projects? Submodules was never intended for what you use it.

      • Re: (Score:2, Troll)

        by ArchieBunker ( 132337 )

        Sounds like a terrible design.

        • More like don't reinvent the wheel, sure you can write it all yourself, and if you are working inside a massive multinational or high security/risk environment you probably should, but go tell a client that the software he wants cost 10x more, lets see how many projects you'll be allowed to build.

        • Yes, darkain's design for dependency management is terrible. It's terrible because it doesn't scale. It doesn't scale because git was never meant to be used that way. It's not git's fault if you choose to use a pipe wrench as a hammer.

      • Re: (Score:2)

        by AmiMoJo ( 196126 )

        The whole system is a mess. It's like people have never heard of a stable API. Public repos are rarely policed properly either, both for malware and for automated testing. It wouldn't be hard to have PyPi require a decent test suite and builds that pass it, especially for popular projects where breakage will cause a lot of problems.

    • Re:Git Submodules (Score:5, Interesting)

      by Antique Geekmeister ( 740220 ) on Sunday May 21, 2023 @10:04PM (#63540859)

      Having a broad variety of open source tools, some of which are _the_ reference tool, is useful. It happened with Perl, and Java, and is being tried with flatpacks and golang and tust. There are problems: ridiculous chains of unreliable and unpredictably incompatible dependencies are one of the risks we've seen with all of these packaging systems. Each language feels the need to re-invent the wheel because they drive on slightly different roads.

    • I never really got the appeal of these "package managers" that are language specific. Too much proprietary tech constantly trying to re-invent the wheel.

      Let me count the ways.

      1) Hackers are constantly prying into libraries looking for vunerabilities. You are not a security expert, you didnt write the code and you probably dont have time to inspect the entire codebase (especially if its a big one). Modern dependency management gives you access to tools to ensure your notified when vunerabilities are found in

    • Re: (Score:2)

      by gweihir ( 88907 )

      I think this is just "not invented here" bullshit that weaker minds love so much. There really is no sane reason for language specific repositories except to remove flexibility and tie the user to a specific product. Of course purveyors of commercial crap like that very much because suddenly the threshold when users are annoyed enough to move away is much higher. In fact, abominations like MS Windows and MS Office would very likely not exist anymore without that effect. Some organizations pretending to be a

  • Kamal never found the answer
  • Dependency after dependency after dependency. Python is more like a set of legos that people string API calls together with than a language. Installing random python packages is a huge attack vector
    • Comment removed based on user account deletion

      • Re: (Score:2)

        by jsonn ( 792303 )
        Actually, more and more packages will by default go to PyPI for missing packages and that is a very valid concern about Remote Code Execution. If it was only an explicit user action triggering a download, I could care less.
        • Comment removed based on user account deletion

          • Re: (Score:2)

            by jsonn ( 792303 )
            You misunderstood what I am saying. I'm seeing a variety of packages that will automatically fetch missing dependencies via pip from PyPI. If there are preinstalled, e.g. from a system package manager, nothing bad happens. But if something changes, e.g. the dependency was pulled in transitively before and no longer is, suddenly a package build will fetch random crap from the internet. Not good.

    • Dependency after dependency after dependency. Python is more like a set of legos that people string API calls together with than a language.

      Name the language where you don't have dependencies with dependencies involved in software of any significant complexity.

      Installing random python packages is a huge attack vector

      Installing "random" anything packages is a huge attack vector. That's the problem here, there's not enough going on to ensure the repo is of high quality. When's the last time someone got nailed by a malicious package in a Debian repo? Packages have maintainers with verified addresses and cryptographic signatures, and not just any chucklehead can get their packages into the repo either. T

  • Making and distributing fraudulent packages is a crime, yes?

    How come no one goes after those making these things?

    Unless a person is a politician or a lawyer, there is usually accountability.

    • Depends on the country of origin. If some Russian or Chinese (or what have you) hacker is at work here, we can guess that they may be at least partially state-sponsored.

Slashdot Top Deals

"God is a comedian playing to an audience too afraid to laugh." - Voltaire

Close