From January to October last year, 1,493 malicious packages were uploaded to PyPI, and 6,977 malicious packages were uploaded to NPM. Last September, PyPI supply chain attacks escalated.

The setup.py file in the malicious PyPI packages used in this attack contained a payload encoded in base64 for obfuscation, which involved the execution of a PowerShell command on Windows systems.

PyPI is the official Python Package Index that currently contains 500,972 projects, 5,228,535 million releases, 9,950,103 million files, and 770,841 users. PyPI helps users locate and install ...

As part of a new report by Snyk, researchers analyze one of these malicious Python packages named “cyphers,” showing how malicious code hidden in the “setup.py” file is used to install two ...

Starting a little over a month ago, the attackers uploaded several non-malicious Python packages, such as ‘spl-types,’ to establish credibility and evade detection for a future attack, via the ...

Python's Unicode support can be easily abused to hide malicious string matches, making code appear innocuous while still performing malicious behavior. In this case, the stealing of sensitive data ...

I write my own numerical tools in python, and have used pip for years to add functionality like scipy and matplotlib over time. They have been such good tools. It's a real gut-punch to see this.

Credential stealing seems to be the main goal. Once executed on a machine, the fshec2 malicious payload collects information about the system such as usernames, directory listings, and hostnames ...

Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ...

A new malicious campaign has been found on the Python Package Index (PyPI) open-source repository involving 24 malicious packages that closely imitate three popular open-source tools: vConnector, ...

A malicious Python Package Index (PyPI) package, dubbed “aiocpa” and engineered to steal cryptocurrency wallet data, has been uncovered by security researchers. The package posed as a legitimate ...