Malware Reporting Evolved
We are lucky to have an engaged community of security researchers that help us keep the Python Package Index (PyPI) safe.
These folks have been instrumental in helping us identify and remove malicious projects from the Index, and we are grateful for their continued support.
Historically, we have asked reporters to email us to report malware per the PyPI Security Policy.
PyPI now has an improved way to report malware, via PyPI itself.
via Web
We have added a new "Report project as malware" button to the project page, at the bottom of the sidebar:
This button will only be visible to logged-in users, as we use that information to help us track the reports and prevent abuse of the system.
When you click the button, you will be asked to provide a reason for the report, including an Inspector link to the specific file and/or lines of code that show evidence of the issue.
via API
We've been hard at work developing this capability for PyPI. It's some of the first user-facing API functionality that we've built that isn't expressly in service of uploading releases to PyPI.
As such, we have a preview beta API to report malware, and have been working with some community members to test it out.
If you're interested in participating, please let us know by completing this Google Form. Once complete, we'll onboard folks to a private GitHub repository with further details within a few days.
Our hope is that by developing the API-centric capabilities, we can further reduce the time it takes to remove malware from PyPI, thus reducing the potential impact on the community at large.
It is still in early phases, so your input can help shape this feature.
Either way
Once submitted, reports will be reviewed by the PyPI administrators, and after a decision is made, the reporter may be notified of the outcome via email associated with the reporting user.
This usually happens within a couple of business days.
For more complex cases, we may have some questions,
please look out for any email responses from security@pypi.org
.
Thanks again for being part of the community that helps keep PyPI safe for everyone.