PyPI Disables Sign-ups and Package Uploads Processes Due to Ongoing Attack

Python Package Index (PyPI) maintainers have temporarily suspended user sign-ups and package uploads due to an ongoing attack.

This decision seems to be due to a recent surge of newly created rogue accounts and malicious package uploads on the index.

“New user and new project name registration on PyPI is temporarily suspended,” PyPI said in a security advisory. “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave. While we re-group over the weekend, new user and new project registration is temporarily suspended.”

The announcement fails to elaborate on the attack's nature and doesn’t identify the perpetrators. However, PyPI is often targeted by threat actors who exploit it to carry out supply-chain attacks against developers.

Cybercrooks disguise malicious packages as legitimate on PyPI in a bid to trick developers into accessing them. Such an attack often entices developers to use the package by appending higher version numbers, resembling updated iterations of legitimate software.

This is not the first security incident befalling PyPI; last year, researchers spotted a wave of phishing attempts aimed at Python project managers. The campaign involved a fake mandatory validation process for PyPI users, telling them to validate their projects to avoid being removed from the repository.

PyPI is constantly adapting to the ever-evolving digital threat landscape, and the temporary suspension of user sign-ups and package uploads serves as proof of its commitment. In the past, the popular software repository took other steps to secure its platform, including enforcing mandatory 2FA policy for critical projects.