In another finding that could expose developers to increased risk of a supply chain attack, it has emerged that nearly one-third of the packages in PyPI, the Python Package Index, trigger automatic code execution upon downloading them.
« A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package, » Checkmarx researcher Yehuda Gelb said in a

In another finding that could expose developers to increased risk of a supply chain attack, it has emerged that nearly one-third of the packages in PyPI, the Python Package Index, trigger automatic code execution upon downloading them.
« A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package, » Checkmarx researcher Yehuda Gelb said in a