Enlarge
/
Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common. (credit: Getty Images)
Researchers have discovered yet another
set of malicious packages in PyPi
, the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar packages could be subject to malware downloads or theft of user credentials and passwords.
Check Point Research, which
reported its findings Monday
, wrote that it didn't know how many people had downloaded the 10 packages, but it noted that PyPi has 613,000 active users, and its code is used in more than 390,000 projects. Installing from PyPi through the
pip
command is a foundational step for starting or setting up many Python projects.
PePy
, a site that estimates Python project downloads, suggests most of the malicious packages saw hundreds of downloads.
Such
supply-chain attacks
are becoming increasingly common, especially among open source software repositories that support a wide swath of the world's software. Python's repository is a frequent target, with researchers finding malicious packages in
September 2017
;
June
,
July
, and
November
2021; and
June
of this year. But trick packages have also been found in
RubyGems in 2020
,
NPM in December 2021
, and many more open source repositories.