The discovery was made by software supply chain automation and security provider Sonatype, which found six malicious packages that used slight variations in the names of popular Python packages to capitalize on users’ spelling mistakes.
In all, the six counterfeit packages garnered over 5000 downloads, once again highlighting the threat to software supply chains.
- These are the best endpoint protection tools
- Here's our choice of the best malware removal software on the market
- Check our list of the best firewall apps and services
“Our analysis tools are consistently catching and blocking counterfeit and malicious software components before they strike modern software supply chains,” writes Sonatype security researcher, Ax Sharma.
Supply chain attacks
Sharma’s analysis shows the fake packages were all submitted by the same author, some dating as far back as April 2021.
This isn’t the first time malicious users have managed to infuse dubious packages inside PyPI, and Sonatype argues it won’t be the last, however unfortunate that might sound.
While they shouldn’t be taken lightly, the revelations can quickly turn ugly when viewed in context of the recent Veracode finding that suggests a majority of developers never update third-party open source libraries after including them in a codebase.
- Protect your devices with these best antivirus software