Announcing the launch of PyPI Malware Reporting and Response project
We are pleased to announce that the PSF has received funding from the Center for Security and Emerging Technology (CSET) to develop and improve the infrastructure for malware reporting and response on PyPI. This project will be executed over the coming year.
Currently, malware reports are submitted to PyPI admins by email before being manually triaged and responded to. There is an opportunity for improvement in streamlining the report submission process and the tools used to triage and respond to them. The current process cannot scale easily or handle duplication of reports. It is not easy to measure time to remediation and is currently impossible to implement automated takedown of threats.
This project has the following aims:
- Develop an API that allows malware reporting
- Extend PyPI admin tools to view, collate and handle security reports
- Collect metadata as required and identify trusted reporters
- Define metrics that allow us to define good reporting practices and time to handle a security issue
- Define the criteria for automated consensus based takedown and soft-deletes of packages
- Highlight trusted reporters and report quality
As PyPI is an integral part of the Python ecosystem, this project is crucial in ensuring the security of over 450,000 packages that are trusted by millions of Python developers. Over the next few weeks, we will be working with security reporters to identify key elements that should be supported by the API and useful metrics that would add value to PyPI security reporting. If you or your colleagues are currently performing malware analysis of PyPI uploads, we would love to hear from you at https://forms.gle/ixRoNJEPVNekFN7H7.
Shamika Mohanan is the Packaging Project Manager at the PSF since 2021.