This month at PyYYC, Bertus Kruger will present the following talk:

===
In recent years cyber-criminals have increasingly used cyber attacks on the software supply chain to attack organizations. Attackers use a variety of methods for these software supply chain attacks and one such method is using the Python Package Index (PyPI) to distribute malicious code through fake Python packages. Typically these fake Python packages use name/typo squatting of existing popular Python packages with the hope that a developer may mistype a package name when doing a "pip install".

In this presentation I'll talk about cyber attacks on the Python ecosystem and how I detected malicious Python packages in the PyPI repository using a large hard drive, static code analysis and some data analysis. I'll show some of the interesting things I found in the PyPI repository and I'll explore some of the tools I used to make it all work.

Please bring your laptops, so that after the talk you can play around with some of the tools that Bertus shows us.