Python Package Index Found Stuffed with AWS Keys and Malware
1 min read
Jan 16, 2023
The Python Package Index, or PyPI, continues to surprise and not in a good way. Ideally a source of Python libraries that developers can include in their projects to save time, PyPI has again been caught hosting packages with live Amazon Web Services (AWS) keys and data-stealing malware.
Malicious packages are, sadly, nothing new for PyPI or for packaging systems like npm, RubyGems, crates.io, and the like. Supply chain attacks – via compromising software libraries or typosquatting – have been an issue for years, though one that has gotten more attention recently with incidents like the compromise of SolarWinds.
Despite enhanced vigilance, these incidents still occur with alarming frequency. Just before the New Year, the maintainers of machine learning framework PyTorch warned that PyTorch-nightly, if installed on Linux via pip, included a compromised dependency available through PyPI called torchtriton.
Related Articles
1 - 0 min read
Open Source is Not Insecure, Despite Common Misconceptions
1 - 0 min read
Joomla XSS Bug Puts Millions of Websites at Risk of RCE
