PyPI, the official third-party registry of open source Python packages has temporarily suspended new users from signing up, and new projects from being uploaded to the platform until further notice.
The unexpected move comes amid the registry’s struggle to upkeep with a large influx of malicious users and packages.
PyPI temporarily halts new user, project signups
As of today, the Python Package Index, more commonly known as PyPI, has temporarily suspended new user registrations and project creations until further notice.
“New user and new project name registration on PyPI is temporarily suspended,” states an incident notice posted by PyPI admins today, May 20th.
“The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.”
Although the registry admins have not revealed the exact culprits (malicious actors and project names) that led them to freeze new registrations on the platform, the preventative move is expected to ward off adversaries until a more permanent solution can be figured out.
“While we re-group over the weekend, new user and new project registration is temporarily suspended.”
Like other open source registries, PyPI is no stranger to being abused by adversaries looking to distribute malware.
In March 2023, a malicious PyPI package colourfool was caught distributing what was dubbed as ‘Color-Blind’ malware by risk consulting firm, Kroll.
The same month, PyPI packages ‘microsoft-helper’ and ‘reverse-shell’ identified by Sonatype, were caught dropping info-stealers that abused Discord for exfiltrating secrets.
Today’s move by PyPI admins is unlikely to impact existing maintainers of Python packages available on the registry from publishing newer versions of their artifacts.
This is a developing story…
h/t Adam Reynolds of Sonatype for the tip off.