Codified in PEP 582, Python allows a __pypackages__ directory to contain version-specific editions of packages that can be imported before packages from the base install of Python, or even a venv.

Malicious PyPI packages, repo hijacks, and CVEs in Python containers put devs at risk. Learn how to stay secure.

Placing malicious code in 'setup.py,' however, will allow malware to be installed and unnoticed even if the package, or Python itself, is not used at all.

Conclusion PyPI continues to be abused by cyberattackers to compromise Python programmers’ devices. This campaign displays a variety of techniques being used to include malware in Python packages.

A recently spotted supply chain attack abused an old but legitimate Python package to deliver a malicious payload. Read more on how the attacker managed to do it and how to protect yourself from it.

Package installers and management tools — pip in the case of Python — have their own internal package selection logic when faced with two packages of the same name from two different defined ...

Using pip is the most conventional and best-supported way to package a Python application for re-use. Just take your application directory and outfit it with a setup.py file, which turns it into a ...

Python's repository is a frequent target, with researchers finding malicious packages in September 2017; June, July, and November 2021; and June of this year.