Supply-chain attack analysis: Ultralytics (PyPI Blog)

The Python Package Index (PyPI) Blog has an analysisof the compromise ofthe ultralyticsproject, and what PyPI has learned from this event:

PyPI staff and volunteers do their best to remove malware, butbecause the service is open to anyone looking to publish softwarethere is an unfortunately high amount of abuse. Thankfully most ofthis abuse does not have the same widespread impact as a targetedattack on an already widely-used project.

Mike Fiedler, the PyPI Safety and Security Engineer is working onnew systems for reducing the time that malware is available to beinstalled on PyPI, through APIsthat security researchers can automatically send reports to andnew "quarantine"release status to prevent harm while a human investigates thesituation. Expect more in this space in 2025!