This package volume means the index is under constant threat by malicious actors, with attacks including using similar-named packages to typo squat the legitimate ones, or create further dependency confusion, as Tom Callaway wrote in a blog in 2023. “Since Python is modular in nature, most Python applications rely heavily on PyPI to provide the necessary dependencies for core functions rather than reinventing them each time. PyPI is also the primary distribution point for Python applications and libraries.”
The language “is something new programmers are attracted to because it is easy to learn, and this means many developers aren’t necessarily thinking about security,” Ed Woodruff, an offensive security expert told CSO. “Before the quarantine effort, there wasn’t much emphasis on security, and I am happy to see this project taking the lead.”
How other open-source projects fare against bad actors
Other open-source projects have lower new package volumes or have commercial organizations with funding and resources to act as hall monitors. Take NPM, the index of JavaScript software that is maintained by GitHub as an example of the latter situation. “GitHub is great at screening for malware, and they have some of the best security researchers in the world,” Janet Worthington, a Forrester Research analyst, told CSO.
