Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Sarah Gooding
May 17, 2024
Python enthusiasts from around the world are gathered in Pittsburgh, Pennsylvania, this week for PyCon US, the community's largest and longest-running annual conference. One of the first major announcements to come out of the event is that cloud services provider Fastly has committed to a five-year sponsorship of the Python Software Foundation (PSF).
The foundation is an organization devoted to advancing open source technology related to the Python programming language. It supports and maintains python.org, The Python Package Index (PyPI), Python Documentation, and other services for the Python community.
Although Fastly has sponsored PSF for the past ten years, particularly by donating CDN resources that keep PyPI fast and reliable, this new five-year commitment ensures continued support and stability for the community.
“This is a really big deal, because it addresses the strategic risk of having a key sponsor like this who might change their support policy based on unexpected future conditions,” Django Web Framework co-creator Simon Willison said.
In 2023, the PSF's budget was robust enough to support various initiatives, including distributing over $600,000 in grants for the Grants Program and PyCon US Travel Grants Program combined, thanks to donors who support the continued advancement of the programming language and its diverse, global community.
Although PSF doesn't necessarily endorse or promote any specific activity of its sponsors, its administration is transparent about how sponsorship contributions are utilized to support the foundation's activities and infrastructure. The foundation reported that PyPI’s Fastly-sponsored CDN had a 99% cache-hit ratio, with 1.2 trillion requests, averaging ~36k requests/second in 2023.
Despite having a small team and limited resources, PyPI serves 800,000 users and supports 284+ billion downloads across more than half a million projects, 5.3 million releases, and 10 million files. Fastly reported that PSF manages 66 petabytes of traffic per month. In 2021, PyPI maintainer Dustin Ingram reported that Fastly gave PSF a 100% discount on its bill, which was in excess of $1.8 million per month at that time. Given the growth of the index, those costs have likely increased significantly.
"We're really excited about Fastly's technology for detecting bots or automations that have gone wild,” PSF Director of Infrastructure Ee Durbin said. “It helps protect our backend, and it also helps us be more diligent users of our resources—not just our bandwidth, but the electricity and carbon we use.”
As PyPI continues to grow, the index has implemented additional security measures. Beginning January 1, 2024, all users are required to enable two-factor authentication (2FA) for their accounts. This step is part of a broader effort to enhance account security and protect against unauthorized access and package tampering. Additionally, PyPI has launched an improved malware reporting and response project, funded by the Center for Security and Emerging Technology (CSET). This project aims to streamline the malware reporting process, making it easier to handle security reports and respond to threats more efficiently.
Last month PyPI expanded its Trusted Publisher Support, making it easier for developers to publish their projects directly from additional continuous integration (CI) systems, including GitLab CI/CD, Google Cloud, and ActiveState, building on existing support for GitHub Actions. This enhancement streamlines the release process, reduces manual steps, and helps maintainers ensure the integrity and security of their packages throughout the deployment pipeline.
Funding for the monumental effort behind PyPI’s operations will continue for the next five years as part of Fastly’s “Fast Forward” program that supports eligible open source projects and nonprofit organizations. PSF’s transparency around this funding ensures that the community understands the impact and importance of these sponsorships in maintaining the reliability and performance of critical services like PyPI.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.