You might be wondering what a Python “package” is, and how it relates to the Python module. Essentially, a package is a group of modules with an __init__.py fie that ties them all together.

Devs unknowingly use “malicious” modules snuck into official Python repository Code packages available in PyPI contained modified installation scripts.

A directory of Python files (essentially, a module) can be packaged into a .pyz file—a .zip -format archive—and given to someone else who has the Python runtime.

Furthermore, this package doesn’t even try to hide its true intentions, and instead is “openly malicious”. Despite being obvious malware, it still managed to rake in 37,217 downloads.

The malicious code was intended for use with Python 2.x, and it generated errors when used in Python 3.x applications. This is how users discovered its presence while debugging their apps.

A new malicious campaign has been found on the Python Package Index (PyPI) open-source repository involving 24 malicious packages that closely imitate three popular open-source tools: vConnector, ...

Malicious PyPI packages, repo hijacks, and CVEs in Python containers put devs at risk. Learn how to stay secure.

And so, only relatively recently did third-party modules start showing up that allow Python apps to be packaged as standalone binaries. PyInstaller — which I covered previously — is one such app.

Python's repository is a frequent target, with researchers finding malicious packages in September 2017; June, July, and November 2021; and June of this year.