PyPI temporarily pauses new users, projects amid high volume of malware

PyPI, the official third-party registry of open source Python packages has temporarily suspended new users from signing up, and new projects from being uploaded to the platform until further notice.

As of today, the Python Package Index, more commonly known as PyPI, has temporarily suspended new user registrations and project creations until further notice.

"New user and new project name registration on PyPI is temporarily suspended," states an incident notice posted by PyPI admins today, May 20th.

"The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave."

Although the registry admins have not revealed the exact culprits (malicious actors and project names) that led them to freeze new registrations on the platform, the preventative move is expected to ward off adversaries until a more permanent solution can be figured out.

In March 2023, a malicious PyPI package colourfool was caught distributing what was dubbed as 'Color-Blind' malware by risk consulting firm, Kroll.

Leave a Comment