Popular PyPI site for developers temporarily blocks functions due to malware campaign
Administrators for a widely used repository for the Python coding language suspended some functions temporarily overnight because of a “malware upload campaign.”
The Python Package Index (PyPI) said it had restored services early Thursday after blocking new project creation and new user registration for about 10 hours. PyPI is a key part of the software supply chain, allowing developers to share and download useful pieces of Python code.
PyPI’s announcement provided no details, but researchers from cybersecurity company Checkmarx said they were investigating a malware campaign that appeared to be related. Analysts at another security firm, Phylum, published similar research.
“This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc..) and various credentials,” the Checkmarx team said.
Like many malware campaigns involving software repositories, the PyPI incident involved attempts to trick users into downloading code packages that seem legitimate but are secretly malicious. Researchers at Checkmarx and Phylum said the attackers used typosquatting — naming a file in a way that makes it look like a common package but might have a misplaced letter or an extra one.
In some cases, “all it takes is a single misplaced finger on the keyboard for your machine to be compromised,” Phylum said.
Phylum and Checkmarx both warned that there are similar malware campaigns on the way.
“While PyPI’s quick and heavy-handed response no doubt helped mitigate the fallout from this attack, it’s nonetheless worth pointing out that not all ecosystems are as quick and effective at dealing with such an attack,” Phylum’s team said.
The malware appears to be persistent, too, Checkmarx said. When a developer begins to work with a poisoned package, the malware quietly executes and can survive a system reboot.
The attackers targeted developers working with popular elements like Pillow, which helps software handle images, and Colorama, used for text coloring. Checkmarx published separate research on Monday about a malware campaign involving Colorama.
PyPI last suspended new user creation in December 2023 because of a surge in “malicious users and malicious projects.”
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.