Malicious package flood on PyPI might be sign of new attacks to come
28-Feb-23
Thousands of malicious Python packages were uploaded over the weekend by an attacker to the public PyPI (Python Package Index) software repository. These files will download and install a Trojan programme from Dropbox if run on a Windows computer.
Public package repositories being flooded with malicious packages is nothing new. Researchers found a collection of 186 packages from the same account on the JavaScript npm repository last year that were intended for Linux PCs and installed cryptomining software. Nevertheless, experts on Twitter said that this most recent issue on PyPI involved more than 5,000 packages and had a far wider scope.
