The Python Package Index (PyPI) repository is back up and running after a temporary suspension of all new users and package uploads. According to the website, PyPI is the official software repository for Python, serving over 700,000 users and over 450,000 projects. The site is popular with developers, but it has also attracted malicious actors who upload harmful packages as a first step in supply chain breaches. However, when PyPI temporarily suspended new user and project registrations, it was not due to any anomalous wave of malicious activity. Instead, there were simply fewer people than usual to address the usual glut, according to a PyPI administrator.
The incident report by PyPI had raised concerns across the security community. Reports from several news sites suggested that the repository had fallen victim to either an anomalous wave of malicious activity or even an outright cyber attack. The situation was characterised by the research firm Checkmarx as part of an uptick in “actors publishing overwhelming amounts of harmful packages in several open-source registries.”
Ee Durbin, Director of Infrastructure for the Python Software Foundation, confirmed that the actual circumstances of the shutdown were much less severe than initially thought. The site was shut down due to human capacity issues with only one PyPI admin available to handle reports instead of the usual three. However, the site is now back up and running with its administrative team available in full force.
The issues surrounding the PyPI repository highlights the growing concerns around open-source security. Malicious packages are rampant today, with attackers finding it an easy way to get a foothold in the dependency chain and get a hold in the user’s computer. Organizations that utilize open-source software have a far more challenging time defending against even such low-level attackers, prompting calls for better package inspection, the development of new tools to track dependencies, and software bills of materials (SBOMs).
To curb the challenges and mitigate the risks associated with open-source software, repositories are making changes to combat malicious packages. The Python Software Foundation recently added a security developer-in-residence role, meant to improve Python security at large. PyPI also announced that it would bring on a safety and security engineer who would focus on PyPI’s security in particular. The repo is continually working to evolve and adapt to combat these threats further.
In conclusion, while repositories struggle to keep up with their far more numerous adversaries, more measures need to be put in place to protect users. Supply chain security in the years to come will rely on our ability to keep public repos clean and protect ourselves when they’re not. It’s essential to note that software vulnerabilities are not what attackers are using to break into computers today. Instead, they create malicious packages to infect computer systems, making it vital to have a robust security system in place at all times.