Supply Chain Issues in PyPI

21/09/23 — wayphinder

This is a cross post from

Earlier this year I did some security research into the Python Package Index (PyPI) as well as how it’s used by the package managers Pip and Poetry.

The research is summarized in the following blog posts:

  1. PyPI Upload Denial of Service

  2. Reproducibility in PyPI

  3. Distribution Confusion in PyPI

  4. Manifest Confusion in PyPI

The research was also presented at BSides Oslo in the talk “Unexpected Ways to Distribute Python Packages”.