May 24 2023 | 1 min read
Technical | May 24 2023 | 1 min read
In the past several months, the Python Package Index (PyPI), the official third-party repository for Python packages, has faced a surge in malicious users and projects. One of these software supply chain attacks–a malicious package that was uploaded to PyPI–was found by the Apiiro AI risk engine in December 2022.
This malicious activity has strained PyPI operations, leading to delayed responses and, ultimately, the decision to pause new user and project registration. From the PyPI blog on May 20th:
“The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.”
Recognizing the urgency of the situation, the PyPI team decisively implemented measures to counteract rising software supply chain threats and mitigate the impact of malicious activities within the registry. They focused on bolstering their response capabilities, improving security protocols, and reinforcing the overall integrity of PyPI for the greater community.
As always, PyPI recognizes the power of collaboration and the importance of community involvement in addressing such challenges. They have actively sought assistance and feedback from the Python community to identify and neutralize malicious projects. By engaging with the community, PyPI aims to leverage the collective knowledge and expertise of Python developers worldwide to effectively tackle this issue.
Compared to legacy SCA solutions, Apiiro’s customers are protected from malicious open source packages that don’t have known CVEs but do have other risky attributes like malicious contribution activity. Apiiro’s proactive and risk-based approach to open source security combines multidimensional risk analysis with real-time scanning and graph-based context for unparalleled prioritization.
Apiiro continuously scans open source packages in repositories and developer behavior on a regular basis. The findings are fed into the Apiiro Risk Graph, which enriches signals with relevant context from customers’ application architecture and attack surface, empowering AppSec engineers and developers to prioritize risks that matter to their business. By tying risks to relevant code owners, providing remediation guidance, and embedding risk-based guardrails directly in developer workflows, Apiiro helps teams fix critical risks faster.
To learn more about our software composition analysis solution, get a demo.