11.Locks IsometricPattern Esm W900

The Python Package Index, or PyPI, continues to surprise and not in a good way. Ideally a source of Python libraries that developers can include in their projects to save time, PyPI has again been caught hosting packages with live Amazon Web Services (AWS) keys and data-stealing malware.

Malicious packages are, sadly, nothing new for PyPI or for packaging systems like npm, RubyGems, crates.io, and the like. Supply chain attacks – via compromising software libraries or typosquatting – have been an issue for years, though one that has gotten more attention recently with incidents like the compromise of SolarWinds.

Despite enhanced vigilance, these incidents still occur with alarming frequency. Just before the New Year, the maintainers of machine learning framework PyTorch warned that PyTorch-nightly, if installed on Linux via pip, included a compromised dependency available through PyPI called torchtriton.