Slovakia’s National Security Authority is warning that the Python Package Index (PyPI) has been serving malicious code packages. Since June, the official Python repository has included modified code packages with names very similar to the standard code packages. The modified code packages have slightly different installation scripts which contain “malicious (but relatively benign) code.”
“Such packages may have been downloaded by unwitting developer[s] or administrator[s] by various means, including the popular ‘pip’ utility (pip install urllib),” The Slovak authorities warned. “There is evidence that the fake packages have indeed been downloaded and incorporated into software multiple times between June 2017 and September 2017.”
In response, PyPI has issued a statement which says, in part, “Since the publishing of the announcement we’ve received many suggestions for how to prevent this sort of attack in the future. We’re considering all of the options and nothing is off the table, but we caution that any solution will take time to implement.” The statement also noted that PyPI is run by volunteers and does not have any full-time staff.