A third of PyPi software packages contains flaw to execute code when downloaded
The findings, discovered by Checkmarx and published Friday, underscore how open source software repositories like PyPi are increasingly being targeted and leveraged by malicious actors.
The essential resource for independent news analysis, forward-looking features, product reviews, events, and professional recognition programs. Sharing insight and guidance in partnership with, and for, top-level information security executives and their technical teams.
Warning: PyPI Feature Executes Code Automatically After Python Package Download
Publishing Python Packages on PyPI: A Comprehensive Guide”, by Ewho Ruth
Even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code : r/programming
How To Implement Continuous Deployment of Python Packages with GitHub Actions
Finding malicious PyPI packages through static code analysis: Meet GuardDog
An example of an executed notebook with Markdown, code, and output
Python
Extra, Extra, VERT Reads All About It: Cybersecurity News for the Week of August 15, 2022
New malicious packages in PyPI: What it means for securing open source repositories
Another day of malware: Malicious 'botaa3' PyPI package taken down
Malicious PyPI packages resemble a legitimate VMware vSphere connector
An updated tutorial on reproducible PyPI applications for advancing chemometrics and boosting learner motivation - ScienceDirect
Six malicious packages on the Python Package Index (PyPI) package manager were founded