PyPI, the official third-party registry for open source Python packages, has temporarily suspended new user registrations and new project uploads to the platform until further notice.
The unexpected move comes amid the registry’s struggle to maintain a large influx of users and malicious packages.
PyPI temporarily halts new user and project registrations
As of today, the Python Package Index, more commonly known as PyPI, has temporarily suspended new user registrations and project creations until further notice.
“Registration of new user and new project name on PyPI is temporarily suspended,” states an incident notice posted by the PyPI admins today, May 20.
“The volume of malicious users and malicious projects created on the index over the past week has exceeded our ability to respond to them in a timely manner, especially with several PyPI administrators on leave.”
Although registry admins haven’t revealed the exact culprits (malicious actors and project names) that led them to freeze new registrations on the platform, the preventative measure should ward off adversaries until a more permanent solution can be found.
“As we regroup over the weekend, new user and project registration is temporarily suspended.”
Like other open source registries, PyPI is no stranger to being abused by adversaries seeking to distribute malware.
In March 2023, a malicious PyPI package imbecile was caught handing out which has been labeled “colorblind” malware by risk consultancy firm Kroll.
The same month, the PyPI packages ‘microsoft-helper’ and ‘reverse-shell’ identified by Sonatype, were caught unleashing information thieves who abused Discord to exfiltrate secrets.
Today’s decision by PyPI administrators is unlikely to impact existing maintainers of Python packages available on the registry by releasing new versions of their artifacts.
This is a developing story…