PyPI open-source code repository deals with manic malware maelstrom – Naked Security

Public source code repositories, such as Sourceforge, GitHub, and PyPI, are a great resource for free operating systems, applications, programming libraries, and developers’ toolkits. They can save time and provide access to other people’s expertise. However, they also come with cybersecurity challenges, such as popular packages suddenly vanishing, packages being actively hijacked for evil purposes, rogue packages masquerading as innocent ones, and petulant behaviour by so-called “researchers”. Recently, PyPI was hit by rogue, automated uploads. To avoid falling victim to these challenges, users should check they are downloading the right module from the right publisher, test and review everything they download, choose proper passwords and use 2FA, and not blindly trust newcomers to their project. Users should also avoid being a “you-know-what” and conduct themselves with ethical behaviour.