Some official Python repos were infected with malware

Attacks on public Python repositories continues unabated

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers recently discovered half a dozen typosquatting packages in the official PyPI repository of thePythonprogramming languages that containedcryptominingmalware.

The discovery was made by software supply chain automation and security provider Sonatype, whichfound six malicious packagesthat used slight variations in the names of popular Python packages to capitalize on users’ spelling mistakes.

In all, the six counterfeit packages garnered over 5000 downloads, once again highlighting the threat to software supply chains.

“Our analysis tools are consistently catching and blocking counterfeit and malicious software components before they strike modern software supply chains,” writes Sonatype security researcher, Ax Sharma.

Supply chain attacks

Sharma’s analysis shows the fake packages were all submitted by the same author, some dating as far back as April 2021.

This isn’t the first time malicious users have managed to infuse dubious packages inside PyPI, and Sonatype argues it won’t be the last, however unfortunate that might sound.

Reporting on the development,Ars Technica notesthe previous attacks on PyPI, adding that malicious code has been found lurking in other public repositories as well, such as RubyGems for the Ruby programming language and npm for theJavaScriptlanguage.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

While they shouldn’t be taken lightly, the revelations can quickly turn ugly when viewed in context of therecent Veracode findingthat suggests a majority ofdevelopersnever update third-partyopen sourcelibraries after including them in a codebase.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set