#

Security advisory regarding Python/Conda/pip/PyPI

AUDIENCE: All Python/Conda users

IMPACT: Potential malicious packages installed or malware downloaded

Numerous packages containing malware/malicious links have been uploaded to the PyPI (Python Package Index) repository. Many of these have names which are slight misspellings of the names of other packages. The intention is to cause an installation of one of these packages if the package name is mistyped during installation by a user.

Please be aware that this sort of ‘supply chain’ attack is always possible with these sorts of open repositories. Anyone can add to them and there is no centralized vetting or curation of packages.

Please always double-check the name of any package before installing into your environment or on your local machine. This advice applies to all software and repositories, but with particular current scrutiny on the PyPI repository and cupy packages. Always ensure software you are installing is from a credible, trusted source and that the URL or package name is correct.

If you believe you have installed a malicious package, please contact us ASAP at:
rchelp@rc.fas.harvard.edu

Additional details/links:
Search PyPI projects: https://pypi.org/
https://github.com/pypa/pypi-support/issues/923