The PSF has received funding from the Center for Security and Emerging Technology (CSET) to develop and improve the infrastructure for malware detection on PyPI. This project will be executed over the coming year.
Currently, malware reports are submitted to PyPI admins by email before being manually triaged and responded to. There is an opportunity for improvement in streamlining the report submission process and the tools used to triage and respond to them. The current process cannot scale easily or handle duplication of reports. It is not easy to measure time to remediation and is currently impossible to implement automated takedown of threats.
This project has the following aims:
- Develop an API that allows malware reporting
- Extend PyPI admin tools to view, collate and handle security reports
- Collect metadata as required and identify trusted reporters
- Define metrics that allow us to define good reporting practices and time to handle a security issue
- Define the criteria for automated consensus based takedown and soft-deletes of packages
- Highlight trusted reporters and report quality
Over the next few weeks, we will be working with security reporters to identify key elements that should be supported by the API and useful metrics that would add value to PyPI security reporting. If you or your colleagues are currently performing malware analysis of PyPI uploads, we would love to hear from you at https://forms.gle/ixRoNJEPVNekFN7H7.
Please share this post widely.