Skip to main content

TH17137

Detected presence of files containing URLs related to PyPI package publishing API.

priorityCI/CD statusseverityeffortSAFE levelSAFE assessment
passhighhighNoneNone

About the issueโ€‹

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to addresses related to the Python Package Index (PyPI) publishing API. PyPI is the default package registry for the Python ecosystem and hosts Python packages used across web, data science, automation, and tooling applications. Attackers often abuse access to PyPI publishing endpoints to publish malicious packages, tamper with existing releases, or remove legitimate packages under compromised maintainer identities. The presence of such network references in a software package is uncommon and may suggest worm-like behavior, where a compromised package attempts to propagate by publishing additional malicious packages to the PyPI registry.

How to resolve the issueโ€‹

  • Investigate reported detections.
  • Consult Mitre ATT&CK documentation: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools.
  • If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
  • You should delay the software release until the investigation is completed, or until the issue is risk accepted.
  • Remove all references to flagged network locations.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.

This section is updated when new data becomes available.

Total amount of packages analyzed

  • Linux: 562K
  • NPM: 5.12M
  • Nuget: 735K
  • PS Gallery: 17K
  • PyPi: 838K
  • RubyGems: 203K
  • VS Code: 113K
  • Windows: 3.7K
Statistics are not collected for the TH17137 policy at this time, or not applicable to this type of issue.