PyPI temporarily suspends new users and projects amidst massive malware
With the registry administrator struggling to cope with the influx of malicious users and packages, the PyPI administrator informed on May 20, 2023 that the Python Package Index has suspended new user registrations and new project uploads to the platform until further notice.
The Python Package Index (commonly referred to as PyPI) is the official third-party registry for open source Python packages.
The number of malicious users and malicious projects created on the Index in the past week exceeded their ability to respond in a timely manner, especially with multiple PyPI administrators on vacation.
While registry administrators have yet to reveal the exact culprit (malicious actor and project name) that caused them to freeze new registrations on the platform, this precaution is expected to ward off adversaries until a more permanent solution is found.
Like other open source registry administrators, PyPI is no stranger to abuse by adversaries looking to distribute malware.
In March 2023, a malicious PyPI package, colourfool, was found to be distributing what the risk consulting firm Kroll called "Color-Blind" malware.
In the same month, the PyPI packages "microsoft-helper" and "reverse-shell" identified by Sonatype were found to have dropped information-stealing programs that abused Discord to reveal confidential information. The
This notification by the PyPI administrator is unlikely to affect existing maintainers of Python packages available in the registry from releasing updated versions of their artifacts.