“The problem is that while this is being discussed, attackers can already use this method to gain code execution on many PyPI users as we’ve demonstrated.”

Advice for CISOs, app leaders

Infosec leaders should warn their staff that a new version of a package can potentially include malicious code, he said, even if the last version of the package was completely fine. Upgrading is dangerous, even on a previously-trusted package, he added.

Before deciding to upgrade a package, scan or inspect the latest version of that package to make sure it is safe, he urged. In addition, JFrog recommends upgrading to a new package version only after that version has existed publicly for at least 14 days, since after that time interval, package hijack attempts have usually been discovered