home.social
Sign in Create account

#pypi — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #pypi, aggregated by home.social.

  1. Python Software Foundation @ThePSF ·

    🔐 Catch PSF's PyPI Safety and Security Engineer, @miketheman, talking Trusted Publishing at next week! Learn how to eliminate long-lived credentials from your release workflow: no tokens, no secrets, just secure deploys. Tue May 19 @ 11am CDT
    osselcna2026.sched.com/event/2

    #ossummit #pypi #python #supplychain #security
  2. Analyst207 @[email protected] ·

    Malware Worm Targets npm, PyPi in Mass Supply-Chain Attack

    A self-spreading worm, dubbed Mini Shai-Hulud, has infected over 170 packages with nearly 180 million weekly downloads, posing a massive threat to the software supply chain. This highly contagious malware has been open-sourced, making it easier for others to exploit and escalate the attack.

    osintsights.com/malware-worm-t

    #SupplyChain #MalwareOperations #Npm #Pypi #Shaihulud

    #supplychain #malwareoperations #npm #pypi #shaihulud
  3. Thomas Fricke (he/his) @[email protected] ·

    golem.de/news/supply-chain-ang

    "Bei den meisten ... handelt es sich um NPM-Pakete. ... aber auch Pakete aus dem Python Package Index (PyPI) betroffen, etwa von Mistral AI und Guardrails AI. Die Angreifer haben jeweils Schadcode eingeschleust, der der bereits genannten Datenausleitung dient. Auf die Zielsysteme gelangt er in Form einer rund 2,3 MByte großen und stark verschleierten Datei namens router_init.js."

    #pypi ist tief in #ai und ein war Argument für die Gründung von
    @sovtechfund

    #security

    #pypi #ai #security
  4. Bill @[email protected] ·

    This tanstack attack is fucking malignant.

    decipher.sc/2026/05/12/ongoing

    #supplychain #pypi

    #supplychain #pypi
  5. Bill @[email protected] ·

    This tanstack attack is fucking malignant.

    decipher.sc/2026/05/12/ongoing

    #supplychain #pypi

    #supplychain #pypi
  6. Maik @[email protected] ·

    42 Pakete von #TanStack auf npm wurden bei einem Supply-Chain-Angriff mit Credential Stealern kompromittiert. Betroffene Versionen sind deprecated, Nutzer sollten Credentials rotieren. Der Angriff gehört zur Mini Shai-Hulud-Kampagne, die auch andere #npm- und #PyPI-Pakete betrifft. heise.de/news/Supply-Chain-Ang

    #tanstack #npm #pypi
  7. Maik @[email protected] ·

    42 Pakete von #TanStack auf npm wurden bei einem Supply-Chain-Angriff mit Credential Stealern kompromittiert. Betroffene Versionen sind deprecated, Nutzer sollten Credentials rotieren. Der Angriff gehört zur Mini Shai-Hulud-Kampagne, die auch andere #npm- und #PyPI-Pakete betrifft. heise.de/news/Supply-Chain-Ang

    #tanstack #npm #pypi
  8. Maik @[email protected] ·

    42 Pakete von #TanStack auf npm wurden bei einem Supply-Chain-Angriff mit Credential Stealern kompromittiert. Betroffene Versionen sind deprecated, Nutzer sollten Credentials rotieren. Der Angriff gehört zur Mini Shai-Hulud-Kampagne, die auch andere #npm- und #PyPI-Pakete betrifft. heise.de/news/Supply-Chain-Ang

    #tanstack #npm #pypi
  9. Maik @[email protected] ·

    42 Pakete von #TanStack auf npm wurden bei einem Supply-Chain-Angriff mit Credential Stealern kompromittiert. Betroffene Versionen sind deprecated, Nutzer sollten Credentials rotieren. Der Angriff gehört zur Mini Shai-Hulud-Kampagne, die auch andere #npm- und #PyPI-Pakete betrifft. heise.de/news/Supply-Chain-Ang

    #pypi #npm #tanstack
  10. Maik @[email protected] ·

    42 Pakete von #TanStack auf npm wurden bei einem Supply-Chain-Angriff mit Credential Stealern kompromittiert. Betroffene Versionen sind deprecated, Nutzer sollten Credentials rotieren. Der Angriff gehört zur Mini Shai-Hulud-Kampagne, die auch andere #npm- und #PyPI-Pakete betrifft. heise.de/news/Supply-Chain-Ang

    #tanstack #npm #pypi
  11. github.com/ghostwriter @[email protected] ·

    🚨 UPDATE: Mini Shai-Hulud has crossed from #NPM into #ComposerPHP/#Packagist and now #PyPI… and is still spreading.

    [email protected]
    [email protected]

    socket.dev/blog/tanstack-npm-p

    #TeamPCP #SupplyChainAttack

    #npm #composerphp #pypi #teampcp #supplychainattack
  12. github.com/ghostwriter @[email protected] ·

    🚨 UPDATE: Mini Shai-Hulud has crossed from #NPM into #ComposerPHP/#Packagist and now #PyPI… and is still spreading.

    [email protected]
    [email protected]

    socket.dev/blog/tanstack-npm-p

    #TeamPCP #SupplyChainAttack

    #npm #composerphp #pypi #teampcp #supplychainattack
  13. github.com/ghostwriter @[email protected] ·

    🚨 UPDATE: Mini Shai-Hulud has crossed from #NPM into #ComposerPHP/#Packagist and now #PyPI… and is still spreading.

    [email protected]
    [email protected]

    socket.dev/blog/tanstack-npm-p

    #TeamPCP #SupplyChainAttack

    #npm #composerphp #pypi #teampcp #supplychainattack
  14. github.com/ghostwriter @[email protected] ·

    🚨 UPDATE: Mini Shai-Hulud has crossed from #NPM into #ComposerPHP/#Packagist and now #PyPI… and is still spreading.

    [email protected]
    [email protected]

    socket.dev/blog/tanstack-npm-p

    #TeamPCP #SupplyChainAttack

    #supplychainattack #teampcp #pypi #composerphp #npm
  15. github.com/ghostwriter @[email protected] ·

    🚨 UPDATE: Mini Shai-Hulud has crossed from #NPM into #ComposerPHP/#Packagist and now #PyPI… and is still spreading.

    [email protected]
    [email protected]

    socket.dev/blog/tanstack-npm-p

    #TeamPCP #SupplyChainAttack

    #npm #composerphp #pypi #teampcp #supplychainattack
  16. Seth Larson @[email protected] ·

    RE: fosstodon.org/@pycon/116538489

    This talk from @andrewnez grows more and more important as the days go on... it's a must watch!

    #Python #PyPI #PyConUS #PyConUS2026 #security

    #python #pypi #pyconus #pyconus2026 #security
  17. Bernhard Biedermann @[email protected] ·

    Erfolgreich scheitern mit #NPM- und #PyPI-Paketen. 🤗

    "zuletzt jeweils auf über 11 Millionen Downloads pro Woche. Und das sind nur zwei von insgesamt 416 Software-Paketversionen, die die Socket-Forscher in ihrem Bericht als betroffen auflisten."

    Die Ursache liegt eher bei den Entwicklern: 🙈

    "Softwareentwickler, die NPM- oder PyPI-Pakete im Einsatz haben, sollten dringend prüfen, ob sie möglicherweise eine oder mehrere betroffene Versionen der kompromittierten Pakete heruntergeladen haben. Ist dies der Fall, so sind die jeweiligen Systeme als kompromittiert zu betrachten."

    Die Sorglosigkeit scheint Programm zu sein. Erfahrene Entwickler werden leiden weil der gesamte Bereich nun im schlechten Licht gesehen wird. 🙄

    Ohne #SBOM und sorgfältiger Umgang mit Dritt-Software ist es sehr riskant. 🙁

    Fragen Sie erfahrene Entwickler wie man sicherer im #Internet die Entwicklung betreiben muss. Ob #NPM- und #PyPI-Pakete, es gibt Verfahren die deutlich weniger Fehler zulassen. 🙂

    golem.de/news/supply-chain-ang

    #NPM #PyPI #SBOM #Internet

    #npm #sbom #internet #pypi
  18. Hackread.com @Hackread ·

    📢⚠️ Hackers are now using to develop zero-day exploits, according to a new Google report. Researchers also uncovered AI-powered backdoors, phishing scams and automated supply chain attacks targeting GitHub and PyPI.

    Read: hackread.com/google-hackers-us

    #ai #android #cybersecurity #hacking #0day #malware
  19. Hackread.com @[email protected] ·

    📢⚠️ Hackers are now using #AI to develop zero-day exploits, according to a new Google report. Researchers also uncovered AI-powered #Android backdoors, phishing scams and automated supply chain attacks targeting GitHub and PyPI.

    Read: hackread.com/google-hackers-us

    #Cybersecurity #Hacking #0Day #Malware #GitHub #PyPI

    #ai #android #cybersecurity #hacking #0day #malware
  20. Hackread.com @[email protected] ·

    📢⚠️ Hackers are now using #AI to develop zero-day exploits, according to a new Google report. Researchers also uncovered AI-powered #Android backdoors, phishing scams and automated supply chain attacks targeting GitHub and PyPI.

    Read: hackread.com/google-hackers-us

    #Cybersecurity #Hacking #0Day #Malware #GitHub #PyPI

    #ai #android #cybersecurity #hacking #0day #malware
  21. Hackread.com @[email protected] ·

    📢⚠️ Hackers are now using #AI to develop zero-day exploits, according to a new Google report. Researchers also uncovered AI-powered #Android backdoors, phishing scams and automated supply chain attacks targeting GitHub and PyPI.

    Read: hackread.com/google-hackers-us

    #Cybersecurity #Hacking #0Day #Malware #GitHub #PyPI

    #pypi #github #malware #0day #hacking #cybersecurity
  22. Hackread.com @[email protected] ·

    📢⚠️ Hackers are now using #AI to develop zero-day exploits, according to a new Google report. Researchers also uncovered AI-powered #Android backdoors, phishing scams and automated supply chain attacks targeting GitHub and PyPI.

    Read: hackread.com/google-hackers-us

    #Cybersecurity #Hacking #0Day #Malware #GitHub #PyPI

    #ai #android #cybersecurity #hacking #0day #malware
  23. Mariatta 🤦🏻‍♀️ :python: @mariatta ·

    🎤 Speaker spotlight: Mike Fiedler

    "And Now for Something Completely Legitimate" 1:30 PM, May 16

    Mike works on PyPI safety & security. The title is a wink to Monty Python, and the topic is dead serious: keeping the packages that Pythonistas install every day safe and trustworthy.

    If you publish to PyPI, depend on it, or worry about supply-chain risk, don’t miss this important conversation.

    #pyconus #maintainerssummit #pypi
  24. OTX Bot @[email protected] ·

    Malicious PyPI Package Embeds Multi-Layer Encrypted Backdoor to Steal Users’ Cryptocurrency Information — HelixGuard

    Pulse ID: 6a01c0fff6a09f21f8fe5e4f
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: CyberHunter_NL
    Created: 2026-05-11 11:43:59

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #PyPI #bot #cryptocurrency #CyberHunter_NL

    #backdoor #cybersecurity #infosec #otx #openthreatexchange #pypi
  25. Python Software Foundation @ThePSF ·

    This plan will shape what the PSF does and how it spends its resources for the next five years. If you use Python, contribute to it, or participate in communities around it, you have a stake in shaping its future!

    #python #pypi
  26. Python Software Foundation @ThePSF ·

    There are a couple of ways to share your feedback:
    - Email the address listed in the blog post
    - Join PSF Board Office Hours in May & June
    - Comment on the Discuss thread
    - Join the dedicated Open Space session at

    discuss.python.org/t/strategic


    discuss.python.org/t/strategic

    #pyconus #python #pypi
  27. Python Software Foundation @ThePSF ·

    The PSF is excited to share that the PSF Board is developing a five-year strategic plan–and we want to hear from you! We're sharing the high-level goals we’ve drafted and welcoming the whole Python community into the conversation. Read more on our blog: pyfound.blogspot.com/2026/05/s


    pyfound.blogspot.com/2026/05/s

    #python #pypi
  28. Matthew Martin @[email protected] ·

    @andrewnez I had a bot write skip-trace to try to track down who in the real world owns a package. A lot of the package repos
    - don't care who owns the package
    - want to protect privacy

    Is Mr Anonymous dead? How can you know anything about someone you know nothing about?

    #Pypi provides no messaging system itself. But does have a package takeover process that depends on messaging!

    pypi.org/project/skip-trace/

    #pypi
  29. OTX Bot @[email protected] ·

    OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

    Pulse ID: 69fd6ab4efa3b430dc39886a
    Pulse Link: otx.alienvault.com/pulse/69fd6
    Pulse Author: Tr1sa111
    Created: 2026-05-08 04:46:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PyPI #bot #Tr1sa111

    #cybersecurity #infosec #malware #otx #openthreatexchange #pypi
  30. Sam Stepanyan :verified: 🐘 @[email protected] ·

    #PyPI 3 Python Packages Deliver ZiChatBot #Malware via Zulip APIs on Windows and Linux:

    * uuid32-utils
    * colorinal
    * termncolor

    👇
    thehackernews.com/2026/05/pypi

    #pypi #malware
  31. Habr @[email protected] ·

    [Перевод] Вредоносный PyTorch Lightning сливал пароли через скрытый JavaScript

    30 апреля на PyPI обнаружили новую версию PyTorch Lightning, которая при импорте скачивала Bun и запускала 11,4 МБ опасного JavaScript-вора. Цель — браузеры, облачные API, GitHub-токены. Всего одна строчка импорта: import lightning — и все ваши API-ключи и данные будут скомпрометированы! Полный разбор инцидента внутри. Разобрать инцидент

    habr.com/ru/articles/1032726/

    #python #pytorch #взлом #атака #вредоносный_код #вредоносы #pypi #кибербезопасность #кража_данных #кража_паролей

    #кража_паролей #кража_данных #кибербезопасность #pypi #вредоносы #вредоносный_код
  32. Habr @[email protected] ·

    [Перевод] Вредоносный PyTorch Lightning сливал пароли через скрытый JavaScript

    30 апреля на PyPI обнаружили новую версию PyTorch Lightning, которая при импорте скачивала Bun и запускала 11,4 МБ опасного JavaScript-вора. Цель — браузеры, облачные API, GitHub-токены. Всего одна строчка импорта: import lightning — и все ваши API-ключи и данные будут скомпрометированы! Полный разбор инцидента внутри. Разобрать инцидент

    habr.com/ru/articles/1032726/

    #python #pytorch #взлом #атака #вредоносный_код #вредоносы #pypi #кибербезопасность #кража_данных #кража_паролей

    #кража_паролей #кража_данных #кибербезопасность #pypi #вредоносы #вредоносный_код
  33. Habr @[email protected] ·

    [Перевод] Вредоносный PyTorch Lightning сливал пароли через скрытый JavaScript

    30 апреля на PyPI обнаружили новую версию PyTorch Lightning, которая при импорте скачивала Bun и запускала 11,4 МБ опасного JavaScript-вора. Цель — браузеры, облачные API, GitHub-токены. Всего одна строчка импорта: import lightning — и все ваши API-ключи и данные будут скомпрометированы! Полный разбор инцидента внутри. Разобрать инцидент

    habr.com/ru/articles/1032726/

    #python #pytorch #взлом #атака #вредоносный_код #вредоносы #pypi #кибербезопасность #кража_данных #кража_паролей

    #кража_паролей #кража_данных #кибербезопасность #pypi #вредоносы #вредоносный_код
  34. Habr @[email protected] ·

    [Перевод] Вредоносный PyTorch Lightning сливал пароли через скрытый JavaScript

    30 апреля на PyPI обнаружили новую версию PyTorch Lightning, которая при импорте скачивала Bun и запускала 11,4 МБ опасного JavaScript-вора. Цель — браузеры, облачные API, GitHub-токены. Всего одна строчка импорта: import lightning — и все ваши API-ключи и данные будут скомпрометированы! Полный разбор инцидента внутри. Разобрать инцидент

    habr.com/ru/articles/1032726/

    #python #pytorch #взлом #атака #вредоносный_код #вредоносы #pypi #кибербезопасность #кража_данных #кража_паролей

    #python #pytorch #взлом #атака #вредоносный_код #вредоносы
  35. OTX Bot @[email protected] ·

    OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

    Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.

    Pulse ID: 69fb57e61f46ab512bd87fc1
    Pulse Link: otx.alienvault.com/pulse/69fb5
    Pulse Author: AlienVault
    Created: 2026-05-06 15:01:58

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #PyPI #ShellCode #SupplyChain #Windows #bot #AlienVault

    #cybersecurity #infosec #linux #malware #otx #openthreatexchange
  36. OTX Bot @[email protected] ·

    OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

    Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.

    Pulse ID: 69fb57e61f46ab512bd87fc1
    Pulse Link: otx.alienvault.com/pulse/69fb5
    Pulse Author: AlienVault
    Created: 2026-05-06 15:01:58

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #PyPI #ShellCode #SupplyChain #Windows #bot #AlienVault

    #cybersecurity #infosec #linux #malware #otx #openthreatexchange
  37. OTX Bot @[email protected] ·

    OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

    Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.

    Pulse ID: 69fb57e61f46ab512bd87fc1
    Pulse Link: otx.alienvault.com/pulse/69fb5
    Pulse Author: AlienVault
    Created: 2026-05-06 15:01:58

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #PyPI #ShellCode #SupplyChain #Windows #bot #AlienVault

    #cybersecurity #infosec #linux #malware #otx #openthreatexchange
  38. OTX Bot @[email protected] ·

    OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

    Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.

    Pulse ID: 69fb57e61f46ab512bd87fc1
    Pulse Link: otx.alienvault.com/pulse/69fb5
    Pulse Author: AlienVault
    Created: 2026-05-06 15:01:58

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #PyPI #ShellCode #SupplyChain #Windows #bot #AlienVault

    #alienvault #bot #windows #supplychain #shellcode #pypi
  39. OTX Bot @[email protected] ·

    OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

    Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.

    Pulse ID: 69fb57e61f46ab512bd87fc1
    Pulse Link: otx.alienvault.com/pulse/69fb5
    Pulse Author: AlienVault
    Created: 2026-05-06 15:01:58

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #PyPI #ShellCode #SupplyChain #Windows #bot #AlienVault

    #cybersecurity #infosec #linux #malware #otx #openthreatexchange
  40. Mike Fiedler, Code Gardener @[email protected] ·

    RE: fosstodon.org/@pycon/116240637

    Have you been on the fence about coming to #PyConUS in Long Beach? Well, get off that fence and come on out!
    I'll be speaking at the new #security track, dissecting #PyPI phishing campaigns, speaking at maintainer and packaging summits, and looking forward to hanging out with you all

    #pyconus #security #pypi
  41. OTX Bot @[email protected] ·

    PyPI Package Compromised in Supply Chain Attack

    Pulse ID: 69f97a6a08c383f22b8c2546
    Pulse Link: otx.alienvault.com/pulse/69f97
    Pulse Author: Tr1sa111
    Created: 2026-05-05 05:04:42

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #OTX #OpenThreatExchange #PyPI #SupplyChain #bot #Tr1sa111

    #cybersecurity #infosec #otx #openthreatexchange #pypi #supplychain
  42. Seth Larson @[email protected] ·

    I'm running a “ #Security for #OpenSource Maintainers” space at #PyConUS 2026 again this year. Bring challenges, feedback, and your experiences with the security tooling and “landscape” to share and learn from others.

    Date will be announced closer to the event, hope to see you there!

    us.pycon.org/2026/events/open-

    #python #supplychain #pypi #oss

    #opensource #pyconus #security #python #supplychain #pypi
  43. OTX Bot @[email protected] ·

    Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors

    An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...

    Pulse ID: 69f837f3d2d59a26f6d3acf3
    Pulse Link: otx.alienvault.com/pulse/69f83
    Pulse Author: AlienVault
    Created: 2026-05-04 06:08:51

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CyberSecurity #DRat #Encryption #Endpoint #InfoSec #Korea #Linux #Mac #MacOS #Malware #NorthKorea #OTX #OpenThreatExchange #PyPI #Python #RAT #SupplyChain #bot #AlienVault

    #backdoor #cybersecurity #drat #encryption #endpoint #infosec
  44. OTX Bot @[email protected] ·

    Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

    The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

    Pulse ID: 69f3e871f34be9dc34f7bd3d
    Pulse Link: otx.alienvault.com/pulse/69f3e
    Pulse Author: AlienVault
    Created: 2026-04-30 23:40:33

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

    #cloud #cybersecurity #github #infosec #malware #npm
  45. OTX Bot @[email protected] ·

    Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

    The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

    Pulse ID: 69f3e871f34be9dc34f7bd3d
    Pulse Link: otx.alienvault.com/pulse/69f3e
    Pulse Author: AlienVault
    Created: 2026-04-30 23:40:33

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

    #cloud #cybersecurity #github #infosec #malware #npm
  46. OTX Bot @[email protected] ·

    Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

    The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

    Pulse ID: 69f3e871f34be9dc34f7bd3d
    Pulse Link: otx.alienvault.com/pulse/69f3e
    Pulse Author: AlienVault
    Created: 2026-04-30 23:40:33

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

    #cloud #cybersecurity #github #infosec #malware #npm
  47. OTX Bot @[email protected] ·

    Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

    The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

    Pulse ID: 69f3e871f34be9dc34f7bd3d
    Pulse Link: otx.alienvault.com/pulse/69f3e
    Pulse Author: AlienVault
    Created: 2026-04-30 23:40:33

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

    #alienvault #developers #bot #worm #rat #pypi
  48. OTX Bot @[email protected] ·

    Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

    The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

    Pulse ID: 69f3e871f34be9dc34f7bd3d
    Pulse Link: otx.alienvault.com/pulse/69f3e
    Pulse Author: AlienVault
    Created: 2026-04-30 23:40:33

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

    #cloud #cybersecurity #github #infosec #malware #npm
  49. OTX Bot @[email protected] ·

    PyPI Package Compromised in Supply Chain Attack

    The popular PyPI package lightning experienced a supply chain attack affecting versions 2.6.2 and 2.6.3, published on April 30, 2026. The compromise introduced malicious code that executes automatically upon module import, downloading Bun JavaScript runtime and executing an 11MB obfuscated payload. The attack harvests credentials including GitHub tokens, npm tokens, cloud credentials from AWS, Azure, and Google Cloud, while targeting CI/CD environments. The malicious code poisons GitHub repositories by injecting backdoored files impersonating Claude Code commits and infects local npm packages through tarball manipulation. The attack shows similarities to previous Shai-Hulud campaigns in terms of credential targeting and obfuscation methods. Evidence suggests the maintainer's GitHub account (pl-ghost) was compromised, with suspicious branch operations and disclosure suppression indicating ongoing attacker control. The incident affects a widely-used deep learning framework receiving millions of monthly downl...

    Pulse ID: 69f3a961ffb07e2895566458
    Pulse Link: otx.alienvault.com/pulse/69f3a
    Pulse Author: AlienVault
    Created: 2026-04-30 19:11:29

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AWS #Azure #BackDoor #Cloud #CyberSecurity #GitHub #Google #InfoSec #Java #JavaScript #NPM #OTX #OpenThreatExchange #PyPI #RAT #SupplyChain #bot #AlienVault

    #aws #azure #backdoor #cloud #cybersecurity #github
  50. Xavier «X» Santolaria :verified_paw: :donor: @[email protected] ·

    🕵🏻‍♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.

    What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.

    → Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.

    Full issue 👉 infosec-mashup.santolaria.net/

    If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

    #malware #sap #pypi #openvsx #openssh #europe