PyPI spent Q1 2024 under sustained attack. On March 28, the Python Package Index paused new user and project registration for roughly 20 hours after a wave of typosquatting packages overwhelmed human moderation. Throughout the quarter researchers at Phylum, Checkmarx, ReversingLabs, Sonatype, and Snyk documented ongoing campaigns — some targeting specific high-value packages like requests, matplotlib, and colorama, others using generic "top 5,000 npm-style" naming strategies to catch fat-fingered installs. The payloads were predictable: Windows info-stealers targeting browser data and crypto wallets, loader stages that pulled second-stage binaries from Discord CDN URLs, and a smaller number of backdoors aimed at developer environments rather than credentials. This post summarizes the notable campaigns, what the March freeze tells us about platform defenses, and what pipeline changes actually reduce exposure.
What happened during the March 28 PyPI freeze?
PyPI temporarily suspended new user registration and new project creation for about 20 hours starting March 28, 2024, after a flood of malicious package uploads exceeded the admins' ability to triage. Mike Fiedler, PyPI's security developer-in-residence, announced the pause on status.python.org and Mastodon. Researchers including Checkmarx's supply chain team and Phylum had been publishing near-daily takedown lists, and the rate of new malicious registrations had climbed enough that manual review was the bottleneck. The freeze was unusual: PyPI had briefly rate-limited registration in the past, but a full pause of new user creation across the entire index was a first. Registration reopened late on March 29 once the queue was clear.
Which typosquat campaigns mattered in Q1 2024?
The most impactful typosquat campaigns targeted requests, colorama, and matplotlib, with payloads pulling data-stealers onto Windows developer machines. Phylum published analyses of campaigns using names like requests-darwin-lite, py-cord-dev, and variants on colorama that carried a Windows executable — typically a stealer built on the open-source Lumma, RedLine, or WhiteSnake templates. ReversingLabs identified a campaign in March using the name django-log-tracker that exfiltrated browser credentials and SSH keys, and Checkmarx documented a wave of packages targeting matplotlib variants that installed a Python-based RAT. The common pattern: a one-character substitution or a hyphenated variant of a top-500 package, combined with a weaponized setup.py that ran on install.
What payloads did attackers favor?
Attackers favored Windows info-stealers and Discord-hosted loader stages, with a growing share of packages targeting developer-specific secrets like AWS credentials, GitHub tokens, and npm .npmrc files. The stealer template has not changed much from 2023: a Python setup.py invokes a PowerShell command that downloads a .NET or Go binary from a Discord CDN URL or a GitHub raw URL, executes it, and deletes the dropper. What is newer in 2024 is the focus on developer machines specifically — several campaigns looked for .aws/credentials, .docker/config.json, .ssh/id_rsa, and ~/.config/gh/hosts.yml rather than generic browser data. The calculation is obvious: a developer laptop yields pipeline credentials that unlock production.
How did dependency confusion show up in 2024?
Dependency confusion kept showing up in Q1 2024, a full three years after Alex Birsan's original 2021 disclosure, with new campaigns targeting package names scraped from public GitHub Actions logs. Researchers at Orca Security and Aqua's Nautilus team documented multiple cases where internal package names — revealed in a pip install line in a public CI log — were registered as squats on public PyPI. When the victim's build ran pip install -r requirements.txt without pinning to an internal index, pip resolved to the public (malicious) version because the public version number was higher. Mitigations exist (--index-url, --extra-index-url with explicit priority, private index pinning), but too many teams still rely on default resolver behavior.
What does PyPI itself do to catch this?
PyPI runs a combination of automated scanners, a community reporting pipeline, and human moderation, and it has been expanding all three through 2024. Mandatory 2FA for maintainers of the top 1% of projects shipped in 2023 and has measurably reduced account takeover incidents. The PyPI Safety and Security Engineer role — filled by Mike Fiedler — gives the platform a dedicated responder. Tools like pypi.org/project/.../ now surface attestations, and the PyPI Quarantine feature rolled out in 2024 lets admins temporarily hide a suspicious package without full deletion. These are meaningful gains, but volume still outruns moderation, which is what the March freeze demonstrated.
What should development teams change this quarter?
Teams should pin by hash, isolate install-time code execution, and scan every setup.py and pyproject.toml for network calls. Concrete changes: use pip install --require-hashes with pip-compile --generate-hashes or Poetry's lockfile; move builds to sandboxed runners where setup.py cannot reach arbitrary egress; adopt pip install --only-binary :all: where possible to avoid source-install hooks; and proxy PyPI through an internal mirror like Artifactory or Nexus with typosquat filtering. Each of these would have neutralized a significant fraction of the Q1 campaigns.
# Lock with hashes and forbid source installs
pip-compile --generate-hashes requirements.in
pip install --require-hashes --only-binary :all: -r requirements.txt
How Safeguard Helps
Safeguard flags PyPI typosquats at ingest by cross-referencing package names against the top 5,000 PyPI projects using distance metrics tuned for Python naming conventions, and reachability analysis tells you which typosquats actually ship in your applications versus those that live only in a dev dependency tree. Griffin AI correlates indicators from Phylum, Checkmarx, and ReversingLabs feeds with your SBOM so campaigns like the Q1 requests and colorama waves surface on your dashboard the day they break. SBOMs include install-time execution indicators — setup.py network calls, PowerShell invocations — which feed policy gates that block any build introducing a package with those behaviors. TPRM assessments identify vendors who ship Python-based products and whose customers are downstream of the same campaigns.