Python’s PyPI Reveals Its Secrets

April 11, 2024 at 10:27AM GitGuardian’s 2023 and 2024 reports revealed significant security concerns in public repositories. The 2024 report found 12.8 million new exposed secrets on GitHub and highlighted security risks in PyPI. The report emphasizes the prevalence of open-source packages and stresses the importance of proper secret management to prevent potential exploitation. After … Read more

Python’s PyPI Reveals Its Secrets

April 11, 2024 at 07:45AM GitGuardian’s 2024 report reveals over 12.8 million new exposed secrets in GitHub and highlighted potential threats in the PyPI repository. While Python developers widely use open-source packages, the report identifies the risks of exposing sensitive credentials. The article emphasizes the importance of proper secrets management and advises adopting automation tools … Read more

PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers

March 29, 2024 at 02:09AM The Python Package Index (PyPI) temporarily halted new user sign-ups due to an influx of malicious projects aimed at developers. Threat actors used typosquatting to upload deceptive versions of popular packages, targeting sensitive data and crypto wallets. Over 500 suspicious packages were uploaded within days, highlighting the increasing risk of … Read more

Malware Upload Attack Hits PyPI Repository

March 28, 2024 at 02:24PM The Python Package Index (PyPI) had to suspend new project creation and user registration to counter a malware upload campaign. Security researchers discovered malicious Python packages using typo-squatting to push multi-stage attacks to steal sensitive data and crypto wallets. The incident underscores the ongoing cybersecurity threats to software development ecosystems. … Read more

PyPI suspends new user registration to block malware campaign

March 28, 2024 at 02:04PM PyPI, the Python Package Index, has suspended user registrations and new project creation due to an ongoing malware campaign. Threat actors are uploading fake packages to compromise developers, with the latest report from Checkmarx revealing 365 malicious entries and an info-stealer payload. This emphasizes the importance of rigorously verifying open-source … Read more

ML Model Repositories: The Next Big Supply Chain Attack Target

March 18, 2024 at 06:15PM Machine-learning model platforms, such as Hugging Face, are vulnerable to attacks similar to those experienced by npm, PyPI, and other open source repositories. These attacks have been successfully executed by threat actors for years. It seems from the meeting notes that the discussion highlighted the susceptibility of machine-learning model platforms … Read more

Japan Blames North Korea for PyPI Supply Chain Cyberattack

March 10, 2024 at 08:02PM Japanese cybersecurity officials issued a warning about North Korea’s Lazarus Group targeting the PyPI software repository with tainted Python packages, infecting Windows machines with the Comebacker Trojan. Gartner’s Dale Gardner describes Comebacker as a general purpose Trojan. The attack is a form of typosquatting and may disproportionately impact developers in … Read more

Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems

February 29, 2024 at 03:33AM North Korean hackers, Lazarus, uploaded four malware-containing packages to PyPI repository, collectively downloaded 3,269 times. The packages, now removed, targeted Python developers by capitalizing on typos during installation. The attack mirrors Phylum’s discovery of rogue npm packages targeting developers. Both campaigns conceal malicious code within test scripts. JPCERT/CC urges caution … Read more

Japan warns of malicious PyPi packages created by North Korean hackers

February 28, 2024 at 10:08AM JPCERT/CC warns of North Korean hacker group Lazarus uploading four malicious PyPI packages to infect developers with malware. These packages allow access to developer networks, enabling financial fraud and supply chain attacks. The malware, named “Comebacker,” connects to the attacker’s server and executes further Windows malware. Previous attacks by Lazarus … Read more

Dormant PyPI Package Compromised to Spread Nova Sentinel Malware

February 23, 2024 at 12:45PM A dormant package on PyPI, django-log-tracker, was updated after two years to introduce the Nova Sentinel information stealer malware. The update, detected on Feb 21, 2024, suggests a compromise of the PyPI account. The malicious update contained an executable file for the malware. The attack was an attempted supply-chain attack … Read more