A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers' systems.

A whitepaper sounds the alarm on threats hidden as Python "phantom dependencies" and offers a solution with the PEP 770 ...

Other tools packaged inside a default Python install include the following: PiP, the Preferred Installer Program. Tkinter for GUI program development. The Python test suite. The py launcher to make it ...

Malicious PyPI packages, repo hijacks, and CVEs in Python containers put devs at risk. Learn how to stay secure.

Over 450 malicious PyPI python packages were found installing malicious browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites.

Conclusion PyPI continues to be abused by cyberattackers to compromise Python programmers’ devices. This campaign displays a variety of techniques being used to include malware in Python packages.

In a search for Python, for instance, one of the matches may be Python 3.11, with the ID Python.Python.3.11. If you want to install that package, you’d use winget install Python.Python.3.11.