What’s PyPI?
If you have used “pip install” to install any python package, you are downloading it from a PyPI repository.
In 99% of your use cases, you have never opened the installed package to check its source code and that’s fine, you aren’t expected to.
It’s a library and it is supposed to provide a utility for you to build a more complex program where all your focus typically lies.
But time and again its been discovered that many of these libraries are also installing either a crypto mining program or stealing your sensitive information like AWS keys and GitHub account credentials.
This has been such a consistent problem that it has ceased to gather any attention altogether now.
How is this possible you may ask? Well, it’s because anyone can upload a new package on the PyPI repository and its maintainers do little to check for any malicious code being uploaded.
The most common trap is libraries with similar-looking names. “requests” is a legitimate library, whereas “request” is malware which every now and then keeps popping up on PyPI.
Now if you mistakenly happen to type the command
“pip install request”
you have successfully loaded a malware that steals your passwords stored in the system.
Python was listed as one of the top 3 popular languages in the StackOverflow 2021 survey. Trust in the ecosystem is a big factor in Python’s universal usage and PyPI’s current condition has the capabilities to single-handedly destroy it.
This needs a fix!