June 22, 2021 By Tara Seals
These code bombs lurk in the PyPI package repository, waiting to be inadvertently baked into software developers’ applications.
A group of cryptominers was found to have infiltrated the Python Package Index (PyPI), which is a repository of software code created in the Python programming language.
Similar to other repositories like GitHub, npm and RubyGems, PyPI is part of the software supply chain. It offers a place where coders can upload software packages for use by developers in building various applications, services and other projects. Unfortunately, a single malicious package can be baked into multiple different projects – infecting them with cryptominers, info-stealers and more, and making remediation a complex process.