Malicious PyPi packages in the wild

Here’s an interesting Ars Technica article concerning compromised open-source libraries (specifically a few on PyPi). It highlights the growing challenge for any modern software application that’s dependent upon “other people’s software”. Although the code is visible to all, few have the time, resources, or desire, to vet all changes. It’s a situation that can be (and has been) exploited for malicious purposes.


Someone replied to the article with this apt xkcd reference.


Openzwave resembled that…