This package volume means that the directory is subject to threats from malicious actors, with attacks that include using packages with the same names to type legitimate ones, or create other dependency confusion, as Tom Callaway wrote on the blog in 2023. naturally, many Python applications rely heavily on PyPI to provide the necessary dependencies for core functions instead of reinventing them individually. the time. PyPI is also the main distribution center for Python applications and libraries. “
The language “is a new thing that programmers are attracted to because it’s easy to learn, and this means that many developers don’t really think about security,” Ed Woodruff, an offensive security expert told CSO. “Before the desegregation effort, there wasn’t much emphasis on security, and I’m glad to see this project take the lead.”
How are other open source projects doing against bad actors
Some open source projects have new low-end packages or have commercial organizations with funding and resources like hall monitors. Take NPM, the Java software directory maintained by GitHub as a recent example. “GitHub is great at checking for malware, and it has the best security researchers in the world,” Janet Worthington, an analyst at Forrester Research, told CSO.
Source link