Subj : Supply-chain attack analysis: Ultralytics (PyPI Blog)
To   : All
From : LWN.net
Date : Thu Dec 12 2024 16:30:05

Supply-chain attack analysis: Ultralytics (PyPI Blog)

Date:
Thu, 12 Dec 2024 16:26:30 +0000

Description:
The Python Package Index (PyPI) Blog has an analysis of the compromise of
the ultralytics project, and what PyPI has learned from this event: PyPI 
staff and volunteers do their best to remove malware, but
because the service is open to anyone looking to publish software
there is an unfortunately high amount of abuse. Thankfully most of
this abuse does not have the same widespread impact as a targeted
attack on an already widely-used project. Mike Fiedler, the PyPI Safety and 
Security Engineer is working on
new systems for reducing the time that malware is available to be
installed on PyPI, through APIs
that security researchers can automatically send reports to and
new "quarantine"
release status to prevent harm while a human investigates the
situation. Expect more in this space in 2025!

======================================================================
Link to news story:
https://lwn.net/Articles/1001909/


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)

.