Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

PyPI's Project Quarantine: A New Weapon Against Malware

2025-01-05
PyPI's Project Quarantine: A New Weapon Against Malware

The Python Package Index (PyPI) has introduced a 'Project Quarantine' feature to combat the persistent problem of malware. This feature allows PyPI administrators to flag potentially harmful projects, preventing easy installation by users and mitigating harm. Instead of outright deletion, projects are hidden from the simple index, remaining modifiable by owners (but not releasable), with administrators retaining the power to lift quarantine. Future plans include automating quarantine based on multiple credible reports, improving efficiency and shrinking the window of opportunity for malware spread.

Read more
(blog.pypi.org)
Development

Ultralytics Suffers Supply Chain Attack: A PyPI Security Incident Analysis

2024-12-14
Ultralytics Suffers Supply Chain Attack: A PyPI Security Incident Analysis

The Python project Ultralytics recently suffered a supply chain attack. Attackers compromised the project's GitHub Actions workflows and stole a PyPI API token, resulting in tainted versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46. The attack didn't exploit a PyPI vulnerability but targeted the GitHub Actions cache. PyPI, leveraging Trusted Publishing and Sigstore transparency logs, quickly identified and removed the malicious software. The incident highlighted shortcomings in API token and GitHub environment configurations. The article stresses securing software forges and build/publish workflows, providing developers with security recommendations: using Trusted Publishers, locking dependencies, avoiding insecure patterns, and enabling multi-factor authentication.

Read more
(blog.pypi.org)
Development supply chain attack PyPI security software security