The Python Package Index (PyPI) maintainer, the official third-party software repository for the Python programming language, is temporarily disabling the ability for users to register and upload new packages until further notice.
“The volume of malicious users and malicious projects created in the index in the last week has exceeded our ability to respond in a timely manner, especially with several PyPI administrators on leave,” admin said in a notification issued on May 20, 2023.
No additional details about the nature of the malware and the threat actors involved in issuing the malicious package to PyPI were disclosed.
The decision to freeze new project and user registrations comes as software registries like PyPI have proven time and time again to be popular targets for attackers looking to poison the software supply chain and compromise the developer’s environment.
Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign leveraging OpenAI ChatGPT-themed bait to lure developers into downloading a malicious Python module capable of stealing clipboard content to hijack cryptocurrency transactions.
ReversingLabs, in a similar discovery, identified several npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that dropped a trojan named TurkoRat.