11-22, 10:10–10:40 (Europe/Vienna), Second Room
NPM recently made headlines in the history of supply chain security. Malware in package registries is, of course, a broader problem. Unlike mobile app stores, popular package registries often do not have enough resources for reviews, and so do not require any prior approval for publication. The Python Package Index is another major player who relies on external reports to detect and remove malicious packages. In this talk, I will present how existing tools can be used for the static and dynamic analysis of Python packages. I will also provide a brief recap of my almost two-year nighttime hunting for malicious packages in PyPI, and offer my subjective view on what has changed and what remains challenging in securing the Python packaging environment.
Software Developer & Architect at CERT.at - Austrian National Computer Emergency Response Team. During the day, I work on notifying you about security events in Austrian Internet, and at night I experiment with honeypots and recognizing malicious Python packages. Occasionally, I even manage to go to sleep.