Python's PyPI repository is broken!What's PyPI?If you have used "pip install" to install any python package, you are downloading it from a PyPI repository.In 99% of your use cases, you have never opened the installed package to check its source code and that's fine, you aren't expected to.It's a library and it is supposed to provide a utility for you to build a more complex program where all your focus typically lies.But time and again its been discovered that many of these libraries are also installing either a crypto mining program or stealing your sensitive information like AWS keys and GitHub account credentials.This has been such a consistent problem that it has ceased to gather any attention altogether now.How is this possible you may ask? Well, it's because anyone can upload a new package on the PyPI repository and its maintainers do little to check for any malicious code being uploaded.The most common trap is libraries with similar-looking names. "requests" is a legitimate library, whereas "request" is malware which every now and then keeps popping up on PyPI.Now if you mistakenly happen to type the command"pip install request"you have successfully loaded a malware that steals your passwords stored in the system.Python was listed as one of the top 3 popular languages in the StackOverflow 2021 survey. Trust in the ecosystem is a big factor in Python's universal usage and PyPI's current condition has the capabilities to single-handedly destroy it.This needs a fix!
------------------------------Ashwani PaliwalCEOSecOps Solution------------------------------
There are advisories if the vulnerability has been identified inside python in-built libraries.
But no advisories if a 3rd party and especially less-popular library has been identified as malware. Most security folks rely on whitepapers and publications to abreast them of any such findings like this one https://www.bleepingcomputer.com/news/security/pypi-python-packages-caught-sending-stolen-aws-keys-to-unsecured-sites/