Monitor performance issues & errors in your code

Typosquatting and Supply Chains Vulnerabilities

Episode #319, published Sun, Jun 6, 2021, recorded Wed, May 26, 2021

One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy?

That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes.

Watch this episode on YouTube
Play on YouTube
Watch the live stream version

Bentz Tozer is a Vice President in In-Q-Tel’s Cyber Practice, where he identifies and works with startups with the potential for high impact on national security. In previous roles, he has performed security research and software development with a focus on IoT devices and embedded systems. He has a PhD in systems engineering from George Washington University.

John Speed Meyers is an engineer in IQT Labs and a researcher who focuses on software security, especially open source software supply chain security. He holds a PhD in policy analysis from the Pardee RAND Graduate School. He’s ambivalent about computers.
Links from the show

Overview topics
Python Package Index nukes 3,653 malicious libraries uploaded:
Dependency confusion:
Typosquatting Is About More Than Typos:
Approaches to Protecting the Software Supply Chain:
A Quant’s View of Software Supply Chain Securityz:

Open Source Security Foundation (OpenSSF):
Python Security Response Team:

Proposed solutions and tools
AuraBorealis App:
Project Aura:
Aura source code:
Reduce Typosquatting Harm via Social Distancing for Top PyPI Packages:
Have I Been Pwned:
Snyk Package Advisor:
NetworkML Package:

Google as a Visionary Sponsor:
Watch this episode on YouTube:
Episode transcripts:

--- Stay in touch with us ---
Subscribe to us on YouTube:
Follow Talk Python on Mastodon: talkpython
Follow Michael on Mastodon: mkennedy

Want to go deeper? Check out our courses

Episode sponsored by
Ads served ethically
Talk Python's Mastodon Michael Kennedy's Mastodon