Python Packaging Index Removes 3,653 Malicious Libraries

Once again the Python Packaging Index (PyPI) has been hit with malicious libraries. Over 3500 of them in fact. You can read more about this at The Register or the Sonatype Blog. The administrators at PyPI were quick to remove these libraries and minimize the risk of people installing them.

On the plus side, these libraries seemed to be mostly making benign GET requests to a Tokyo-based IP. They also managed to flood the npm packaging site as well.

The only specific malicious package I have seen being reported is a variant of CuPy, a Python package that uses NumPy for Nvidia’s parallel computing platform.

While this may have been an attempt to warn developers of weaknesses in their supply chain, there have been several other typosquatting incidents on PyPI in the past that were more insidious.

As always, be sure you understand what you are installing when you use pip. It is on you to make sure that you are downloading and installing the correct packages.