Skip to main content

Some official Python repos were infected with malware

Glasses in front of computer screen
(Image credit: Kevin Ku / Pexels)

Cybersecurity researchers recently discovered half a dozen typosquatting packages in the official PyPI repository of the Python programming languages that contained cryptomining malware. 

The discovery was made by software supply chain automation and security provider Sonatype, which found six malicious packages that used slight variations in the names of popular Python packages to capitalize on users’ spelling mistakes.

In all, the six counterfeit packages garnered over 5000 downloads, once again highlighting the threat to software supply chains.

“Our analysis tools are consistently catching and blocking counterfeit and malicious software components before they strike modern software supply chains,” writes Sonatype security researcher, Ax Sharma.

Supply chain attacks

Sharma’s analysis shows the fake packages were all submitted by the same author, some dating as far back as April 2021.

This isn’t the first time malicious users have managed to infuse dubious packages inside PyPI, and Sonatype argues it won’t be the last, however unfortunate that might sound.

Reporting on the development, Ars Technica notes the previous attacks on PyPI, adding that malicious code has been found lurking in other public repositories as well, such as RubyGems for the Ruby programming language and npm for the JavaScript language.

While they shouldn’t be taken lightly, the revelations can quickly turn ugly when viewed in context of the recent Veracode finding that suggests a majority of developers never update third-party open source libraries after including them in a codebase.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.