As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks.
“Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks,” JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe said Thursday.
PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like pip relying on it as the default source for packages and their dependencies.
The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below –
- pytagora (uploaded by leonora123)
- pytagora2 (uploaded by leonora123)
- noblesse (uploaded by xin1111)
- genesisbot (uploaded by xin1111)
- are (uploaded by xin1111)
- suffer (uploaded by suffer)
- noblesse2 (uploaded by suffer)
- noblessev2 (uploaded by suffer)