PyPI is still experiencing malicious activity

PyPI, the official Python package repository, regularly experiences waves of malicious activity. Just recently, cybersecurity experts revealed that a package was infected with malware. Faced with the recurrence of the problem, PyPI decides to impose two-factor authentication by the end of 2023.

Understanding PyPI

PyPI contains thousands of Python packages that can be installed and used in Python programs. Available to developers, simple utility modules but also complex libraries and frameworks.

Python Package Index allows Python programmers to easily share their code with others and vice versa. This led to the development of many high quality open source projects which can be used by developers around the world.

PyPI also provides a number of features and tools to help users manage their packages. These include tools for uploading and managing packages, as well as tools for finding and browsing packages.

Repeated malicious activity

PyPI’s popularity makes it a prime target for malicious actors. Towards the end of May, this one has once once more been the target of hackers. A malicious actor has indeed flooded a repository package with malicious automated downloads.

This situation has also led the PyPI teams to temporarily suspend any new membership and any creation of new projects by existing users. No additional details have been revealed on this umpteenth attack, except that the suspension was lifted following 24 hours.

PyPI deplores these repeated malicious activities. Beyond cybercriminals, the team must also deal with “experimental attacks” conducted by some researchers and students “for academic purposes”. She cites the example of this doctoral student who had injected fake patches on the Linux kernel. There are also those researchers who carry out proof-of-concept attacks.

PyPI: two-factor authentication soon mandatory

The PyPI security team also explains that compromise of user accounts are main attack vectors on the index. Faced with what, she decides torequire users to use two-factor authentication by the end of 2023.

An important update on our efforts to secure PyPI with multi-factor authentication: https://t.co/RPjnUweNP1

— Python Package Index (@pypi) May 25, 2023

Through which, PyPI hopes stem the account takeover attacks that are widely used to compromise PyPI users. Supply chain security in the open source community is a top concern today. Which largely explains this mandate of 2FA.

By the end of the year, PyPI will start blocking access to certain site features for users who do not apply two-factor authentication. In addition, some users would have to apply the decision in advance, says PyPI. The latter does not provide more details on the selection criteria.