Malicious PyPI Packages

It was a matter of time. After the npm-repository was hit later last year and ruby gems were found mining crypto-currency, this times it’s PyPI that spreads bad code. Supply chain attacks, as this vector is typically referred to, becomes an increasing problem. Foremost for software vendors.

The rich supply of community maintained packages make particular languages attractive to businesses. Plenty of ready made packages allow to rapidly build the most important components required to bootstrap any SaaS business. Authentication, database connectivity, model view abstraction layers, web request routing, html templating, it all can be found in either of these, at no added cost.

However, nothing in life is free and the price vendors pay is the added risk of unvalidated or unverified sources.

The two motions to counter this are either business driven or community driven.

Companies like JFrog, who initially discovered the PyPI vulnerability, or offer products to help ISVs mitigate this risk in their codebase. Automated scanning as a service is a relatively new model of security products, that help secure code while it is built.  

The community driven approach is much more a dance on a razor blade. Characteristic for the community is high participation. High barriers to contribute will hurt contribution. And to find the right balance is a challenge PyPI will have to find in any measure taken going forward.