Supply Chain Issues in PyPI
Earlier this year I did some security research into the Python Package Index (PyPI) as well as how it’s used by the package managers Pip and Poetry. The research is summarized in the following blog posts:
1: PyPI Upload Denial of Service
3: Distribution Confusion in PyPI
Edit 5: Trojan Lockfile in PDM
The research was also presented at BSides Oslo in the talk “Unexpected Ways to Distribute Python Packages” [slides].