“This attack on PyPI’s ‘ctx’ has the potential to be extremely damaging to companies globally – we could have another Log4J on our hands. With the open-source solution being downloaded over 20,000 times a week, it’s easy to see how an attack like this might spread rapidly. Although PyPI has taken down the malicious version of ‘ctx’, there’s no knowing how many developers have downloaded it in the meantime and left their environments exposed.
“Open-source components are now present in 92% of apps – they make the world go round. However, attacks like this show that companies can’t blindly trust open-source solutions, as they really have very little idea who has created or contributed towards them, which leaves companies wide open. Developers aren’t going to stop using open source as it enables them to move so fast, so organisations must take a proactive approach to enabling the safe use of these solutions. This means deploying a zero-trust model in cloud native environments, analysing every open source component and evaluating its level of risk before approving or rejecting it. Of course, doing this manually would be an incredibly slow and frustrating process, creating friction between security and developer teams, so automation is an absolute must. Without it, companies simply won’t be able to develop both at speed and securely.”