search

Python-Community-News / Topics

Submit topics to PCN to be covered on the Show
MIT License
2 stars 1 forks source link

PYPI Security Recap #102

Open kjaymiller opened 1 year ago

kjaymiller commented 1 year ago

URL

https://twitter.com/di_codes/status/1610781657128108033

When was this post released

4 January 2023

Summary

in 2022, the @pypi team removed >12,000 unique projects. each were instances of spam, typosquatting, dependency confusion, exfiltration and/or malware.

2022: ~12K (mostly malware) 2021: ~27K (mostly dep confusion) 2020: ~500 2019: 65 2018: 137 2017: 38

Ingram Brings up that most of the work has been handled by Himself, The Ee Durbin the Director of Infrastructure. Ingram calls for more support to provide PyPI with a paid staff.

Ingram also acknowledges that much of the detection of these attacks are with the help and support from security and observability companies like @sonatype, @Phylum_IO, @Checkmarx, @jfrog, @datadoghq, @nao_sec, @loginsoft_inc, @checkpointsw, [@theopenssf(https://twitter.com/theopenssf) and some others.

Code of Conduct

kjaymiller commented 1 year ago

An interview was conducted and we are currently working on a longer piece that will include some of the findings.