PyPI fights scammers and temporarily prohibits adding new users and projects

Registration of new users and projects on Python package index(pypi), the Python package repositories, was temporarily suspended for two days on May 20 and 21 due to increased malicious activity. This decision was caused by an overload of employees, some of whom were on vacation, and the inability to cope with a large number of malicious projects. The restriction has now been lifted.

An increase in the activity of attackers publishing malicious packages has resulted in the number of registered malicious projects in the repository exceeding the ability of the PyPI team to quickly respond to this.

The developers plan to review their review procedures within a few days to expedite the resumption of user and project registrations on PyPI.

According to statistics from Sonatype, a malware monitoring system, in March 2023 alone, 6,933 malicious packages were detected in the PyPI directory, and since 2019, the number of malicious packages has exceeded 115,000. In December 2022, 144,000 packages with phishing code and spam were published as a result of attacks on NuGet, NPM and PyPI directories.

Attackers often use typesquatting tactics by choosing names for malicious packages that are similar to the names of popular libraries (for example, “exampl” instead of “example”, “djangoo” instead of “django”, “pyhton” instead of “python”). This allows inattentive users who make mistakes when entering or do not pay attention to differences in names to penetrate the systems. Usually attackers use such packets to send confidential information found on the user’s local system, including passwords, access keys, crypto wallet data, tokens, session cookies and other sensitive information.

In December 2021, the administration of the Python Package Index (PyPI) software catalog removed three malicious Python packages (aws-login0tool, dpp-client and dpp-client1234) for extracting environment variables and installing trojans on computer systems.

In January 2023 the company Fortinet found three more similar packages (colorslib, httpslib and libhttps) which were uploaded from 7 to 12 January 2023 and also removed from PyPI upon discovery.

In March 2023, malware the PyPI colorfool package has been caught redistributing malware that risk consulting firm Kroll called “Color-Blind” malware.

Same month PyPI packages “microsoft-helper” and “reverse-shell” identified by Sonatype were caught dropping information thieves who were abusing Discord to steal secrets.