Back to the PyPi python code repository

Last week I reported on the issues the PyPi python code repository was having with security, including closing it’s doors to new custom and at last implementing compulsory multi-factor authentication for its users. PyPi still has one lesson for us.

We all need to use industry standard anti-virus solutions on endpoints, servers, email etc (we still find that the occasional new client is using a free option!) but the threat actors can manipulate that protection.

Because they can reverse engineer the anti-virus packages they know what they are scanning for so the malicious code evades detection. It is then a race for the AV vendors to realise that malware is not being scanned for and fix it. But if that malware is mixed into legitimate code, which itself is then built into legitimate applications whish the user happily installs, the detection process becomes even more difficult:

PyPI malware ramps up the threat to the code repository • The Register

Your takeaway from the PyPi python code repository problem

Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

Code Risk

PyPi. I wrote about code supply chain compromise last week…

PyPi software repository takes the most basic of security steps…