The maintainers of Python Package deal Index (PyPI), the official third-party software program repository for the Python programming language, have briefly disabled the flexibility for customers to enroll and add new packages till additional discover.
„The amount of malicious customers and malicious initiatives being created on the index up to now week has outpaced our capacity to reply to it in a well timed vogue, particularly with a number of PyPI directors on depart,“ the admins said in a discover revealed on Might 20, 2023.
No extra particulars concerning the nature of the malware and risk actors concerned in publishing these rogue packages to PyPI had been disclosed.
The choice to freeze new consumer and mission registrations comes as software program registries akin to PyPI have confirmed time and time once more to be a preferred goal for attackers seeking to poison the software program provide chain and compromise developer environments.
Earlier this week, Israeli cybersecurity startup Phylum uncovered an energetic malware marketing campaign that leverages OpenAI ChatGPT-themed lures to bait builders into downloading a malicious Python module able to stealing clipboard content material in an effort to hijack cryptocurrency transactions.
ReversingLabs, in an identical discovery, recognized a number of npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent within the npm repository that drops a trojan known as TurkoRat.