Python developers use PyPI to add software libraries composed by different developers in their own ventures. Other programming languages implement similar package management systems, all of which request some degree of trust. Developers are frequently encouraged to audit any code they import from an external library however that advice isn't constantly followed. Package management systems like npm, PyPI, and RubyGems have all had to eliminate sabotaged packages as of recent years. Malware creators have discovered that in the event that they can get their code included in well-known libraries or applications, they get free dissemination and trust they haven't acquired.
A month ago, security researcher Alex Birsan showed that it is so easy to exploit these systems through a type of typosquatting that misused the interplay between public and private package registries. The downpour of vindictive Python packages over the previous week included unauthorized versions of projects like CuPy, an implementation of NumPy-compatible multi-dimensional array on CUDA, Nvidia's parallel computing platform.
In a GitHub issued post, Kenichi Maehashi, a project maintainer, relates how cupy-cuda112 (CuPy worked for CUDA 11.2) was uploaded on February 25, 2021, then detected and eliminated a day later. Python has a policy for managing such a thing. On Monday, Ee W. Durbin III, director of infrastructure at the Python Foundation, said the large number of culpable packages had been taken out but expressed hesitance to boycott the account responsible because the account holder could simply register for another account.
The name utilized by the malware writer, "RemindSupplyChainRisks," gives off an impression of being an attempt to call attention to an aspect of software distribution that most developers already understand is fraught with potential problems.
Read more https://www.ehackingnews.com/2021/03/python-package-index-removed-3653.html
