The latest from PyUp's product and Cybersecurity Intelligence (CSI) teams.
PyUp Discovers New Malicious Packages on PyPI
On March 4th, 2023, PyUp Cybersecurity discovered malicious Python packages on PyPI within minutes of them first being uploaded. In the brief time that these packages were available, however, they were downloaded over 1,000 times.
PyUp Discovers ReDoS Vulnerabilities in Top Python Packages
This text is the first of a series of blog posts disclosing novel security flaws in some of the most popular python packages. For the present, we are covering ongoing research by our Cybersecurity Intelligence Team (CIT) on a usually underestimated type of vulnerability: Regular Expression Denial of Service (ReDoS). ...
PyUp Cybersecurity Issued Clean SOC 2 Audit
PyUp Cybersecurity, the leader in Python dependency security scanning and compliance, has successfully completed a SOC 2 Type I audit. The report did not have any noted exceptions and therefore was issued with a "clean" audit opinion.
Discontinuation of Safety CI for free users
Prior to August 1, 2022, PyUp offered a free edition of Safety CI, allowing users to scan their public GitHub Repositories against our commercial Python vulnerability database. All users without …
List of Malicious and Pytosquatting Packages in PyPI
Research & written by Sebastian Chnelik - PyUp Cybersecurity Intelligence Team The PyUp Cybersecurity Intelligence team spends all day every day finding undiscovered or unpublished security vulnerabilities in over 400,000 …
Log4j Security Incident
Special Vulnerability Advisory Last updated: 3 January 2022, 11:13am PST. Check your project doesn’t use Log4j directly or indirectly. If it does, Log4j versions 2.3.2 (Java 6), 2.12.4 (Java 7), …
A Patched Vulnerability in PyUp’s “Safety” Open-Source Command-Line Tool (CVE-2020-5252)
At PyUp, we take the security of our users and their systems very seriously. That’s why we are informing you right away about a vulnerability that one of our …
Finding security vulnerabilities in third party packages
Around a year and a half ago, we started building up a security database for third party Python packages. This allows us to give users fine grained control about what …
Analyzing Django requirement files on GitHub
Django is the most popular Python web framework. It is now almost 12 years old and is used on all kinds of different projects. From small to super large, from …
Pipfiles, pipenv and Docker
Exciting times in Python. With the recent introduction of Pipfiles and the new pipenv library it's time to rewrite our Dockerfiles to leverage all the goodness of modern Python packaging. …
Don't trust user input
While I was working on pyup.io's database for known security vulnerabilities, I've manually reviewed thousands of changelogs and commits over a couple of weeks. A lot of the security issues …