Malware Flood Causes PyPI to Temporarily Halt New Accounts
Hackers Are Now Using Code Repositories as Malware VectorsPython code repository PyPI temporarily halted new user registration for a second time in three months following a surge in malware-ridden code mimicking legitimate software packages.
See Also: A Look Forward: 2025 Cybersecurity Threat Landscape
Cybersecurity researchers from Checkmarx and Phylum observed threat actors flooding the Python Package Index repository - PyPI for short - with typosquatted versions of well-known packages to deceive developers. PyPI restored services early Thursday after approximately 10 hours of downtime.
Cybercriminals published more than 500 typosquatted variations of authentic projects. The packages harbored malicious code within the setup.py
file. The code fetched a secondary payload from a remote server and deployed an info stealer designed to pilfer data from web browsers. Stolen data included passwords, cookies, extension data and crypto wallets.
A late December influx of "malicious users and projects," required similar action.
"This incident is not an isolated case and similar attacks targeting package repositories and software supply chains are likely to continue," Checkmarx said.
"While PyPI's quick and heavy-handed response no doubt helped mitigate the fallout from this attack, it's nonetheless worth pointing out that not all ecosystems are as quick and effective at dealing with such an attack," Phylum's team said.
PyPI is a repository that hosts and distributes software packages for Python developers to use. The Python ecosystem is finalizing index support for digital attestations to help verify packages.
PyPI is not the only code repository to recently be attacked by hackers. Researchers from app security firm Apiiro in February said more than 100,000 GitHub repositories - and "presumably millions" - were affected by a campaign to create look-alike copies of known and trusted repositories that are infected with malicious code (see: Breach Roundup: White House Calls for Memory-Safe Languages).
The U.S. Cybersecurity and Infrastructure Security Agency and the Open Source Security Foundation in February published best practices for software repositories. "Package repositories are uniquely positioned to improve the overall security posture of open-source software in a way that benefits all users," CISA Director Jen Easterly said during a March open-source software security conference (see: CISA Launches New Efforts to Secure Open-Source Ecosystem).