home.social

#pypi — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #pypi, aggregated by home.social.

  1. Today's the day! Come on out for story time and good ideas when I share details on the Anatomy of a Phishing Campaign I handled for #PyPI around this time last year.

    ep2026.europython.eu/session/a

    #EuroPython2026 #EP2026 #Python #OpenSource #SupplyChain #Security

  2. Today's the day! Come on out for story time and good ideas when I share details on the Anatomy of a Phishing Campaign I handled for #PyPI around this time last year.

    ep2026.europython.eu/session/a

    #EuroPython2026 #EP2026 #Python #OpenSource #SupplyChain #Security

  3. RE: fosstodon.org/@europython/1167

    Very excited to share stories, insights, recommendations at my first @europython

    I'll also be attending the Packaging and Language Summits, as well as any other opportunities to increase awareness of #Python and #PyPI #OpenSource #SupplyChain #Security initiatives.

    #EP2026 #TooManyHashtags #SorryNotSorry

  4. RE: fosstodon.org/@europython/1167

    Very excited to share stories, insights, recommendations at my first @europython

    I'll also be attending the Packaging and Language Summits, as well as any other opportunities to increase awareness of #Python and #PyPI #OpenSource #SupplyChain #Security initiatives.

    #EP2026 #TooManyHashtags #SorryNotSorry

  5. [Перевод] Пакетным менеджерам пора ввести период охлаждения

    Когда злоумышленник получает доступ к учетной записи мейнтейнера или захватывает заброшенный пакет, вредоносная версия может разойтись по тысячам проектов быстрее, чем ее успеют заметить. Один из способов снизить риск — ввести период охлаждения для зависимостей: не устанавливать новую версию пакета сразу после публикации, а ждать несколько дней, пока сообщество и вендоры безопасности успеют отреагировать. Публикуем перевод статьи Эндрю Несбитта о dependency cooldown и о том, как этот подход реализуют разные пакетные менеджеры и инструменты обновления зависимостей: npm, pnpm, Yarn, Bun, Deno, pip, uv, Poetry, Bundler, Cargo, Dependabot, Renovate и другие. Отдельно в материале рассматриваются различия между относительными интервалами и абсолютными датами, проблемы временных меток, исключения для обновлений безопасности и ограничения подхода в разных экосистемах.

    habr.com/ru/companies/codescor

    #пакетные_менеджеры #зависимости #supply_chain_security #open_source #npm #PyPI #RubyGems #Dependabot #Renovate #dependency_cooldown

  6. Glassworm smantellato: CrowdStrike abbatte la botnet che prendeva di mira gli sviluppatori attraverso npm, PyPI e GitHub

    Il 26 maggio 2026, CrowdStrike, Google e Shadowserver Foundation hanno eseguito un takedown coordinato di Glassworm, botnet attivo da oltre un anno che infettava sviluppatori attraverso estensioni VSCode trojanizzate, pacchetti npm/Python malevoli e repository GitHub avvelenati. Il C2 sfruttava blockchain Solana, BitTorrent DHT e Google Calendar come canali di resilienza.

    insicurezzadigitale.com/glassw

  7. Glassworm smantellato: CrowdStrike abbatte la botnet che prendeva di mira gli sviluppatori attraverso npm, PyPI e GitHub

    Il 26 maggio 2026, CrowdStrike, Google e Shadowserver Foundation hanno eseguito un takedown coordinato di Glassworm, botnet attivo da oltre un anno che infettava sviluppatori attraverso estensioni VSCode trojanizzate, pacchetti npm/Python malevoli e repository GitHub avvelenati. Il C2 sfruttava blockchain Solana, BitTorrent DHT e Google Calendar come canali di resilienza.

    insicurezzadigitale.com/glassw

  8. Glassworm smantellato: CrowdStrike abbatte la botnet che prendeva di mira gli sviluppatori attraverso npm, PyPI e GitHub

    Il 26 maggio 2026, CrowdStrike, Google e Shadowserver Foundation hanno eseguito un takedown coordinato di Glassworm, botnet attivo da oltre un anno che infettava sviluppatori attraverso estensioni VSCode trojanizzate, pacchetti npm/Python malevoli e repository GitHub avvelenati. Il C2 sfruttava blockchain Solana, BitTorrent DHT e Google Calendar come canali di resilienza.

    insicurezzadigitale.com/glassw

  9. Glassworm smantellato: CrowdStrike abbatte la botnet che prendeva di mira gli sviluppatori attraverso npm, PyPI e GitHub

    Il 26 maggio 2026, CrowdStrike, Google e Shadowserver Foundation hanno eseguito un takedown coordinato di Glassworm, botnet attivo da oltre un anno che infettava sviluppatori attraverso estensioni VSCode trojanizzate, pacchetti npm/Python malevoli e repository GitHub avvelenati. Il C2 sfruttava blockchain Solana, BitTorrent DHT e Google Calendar come canali di resilienza.

    insicurezzadigitale.com/glassw

  10. Glassworm smantellato: CrowdStrike abbatte la botnet che prendeva di mira gli sviluppatori attraverso npm, PyPI e GitHub

    Il 26 maggio 2026, CrowdStrike, Google e Shadowserver Foundation hanno eseguito un takedown coordinato di Glassworm, botnet attivo da oltre un anno che infettava sviluppatori attraverso estensioni VSCode trojanizzate, pacchetti npm/Python malevoli e repository GitHub avvelenati. Il C2 sfruttava blockchain Solana, BitTorrent DHT e Google Calendar come canali di resilienza.

    insicurezzadigitale.com/glassw

  11. 🕵🏻‍♂️ [InfoSec MASHUP] 21/2026 - The Supply Chain Didn't Break. It Was Walked.

    This week's issue reads like a case study in cascade failure. A malicious VS Code extension on one #GitHub employee's device leads to 3,800 internal repositories exfiltrated — by #TeamPCP, the same group that poisoned 170 npm and #PyPI packages last week. #Grafana gets breached via a token nobody rotated after the TanStack attack, itself a TeamPCP operation. A GitHub Action used by thousands of projects gets compromised and starts exfiltrating CI/CD credentials. And somewhere in a public GitHub spreadsheet, CISA contractor credentials — including #AWS GovCloud keys — sat waiting to be found.

    These aren't four separate incidents. They're one incident with four manifestations. The supply chain isn't a vector anymore; it's the terrain. Developer tooling, CI/CD pipelines, third-party actions, tokens issued and forgotten — all of it is now actively mapped and exploited with a persistence that makes the traditional "patch and move on" response look quaint. The Verizon DBIR dropped this week noting that third-party compromise is surging. The week's news was already illustrating the point before the report landed.

    → Week #21/2026 also covers: fast16 predated #Stuxnet and corrupted nuclear simulations quietly, #Pwn2Own Berlin paid $1.3M for 47 bugs, and #Bluesky got hijacked for Russian propaganda.

    Full issue 👉 infosec-mashup.santolaria.net/

    If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

  12. 🕵🏻‍♂️ [InfoSec MASHUP] 21/2026 - The Supply Chain Didn't Break. It Was Walked.

    This week's issue reads like a case study in cascade failure. A malicious VS Code extension on one #GitHub employee's device leads to 3,800 internal repositories exfiltrated — by #TeamPCP, the same group that poisoned 170 npm and #PyPI packages last week. #Grafana gets breached via a token nobody rotated after the TanStack attack, itself a TeamPCP operation. A GitHub Action used by thousands of projects gets compromised and starts exfiltrating CI/CD credentials. And somewhere in a public GitHub spreadsheet, CISA contractor credentials — including #AWS GovCloud keys — sat waiting to be found.

    These aren't four separate incidents. They're one incident with four manifestations. The supply chain isn't a vector anymore; it's the terrain. Developer tooling, CI/CD pipelines, third-party actions, tokens issued and forgotten — all of it is now actively mapped and exploited with a persistence that makes the traditional "patch and move on" response look quaint. The Verizon DBIR dropped this week noting that third-party compromise is surging. The week's news was already illustrating the point before the report landed.

    → Week #21/2026 also covers: fast16 predated #Stuxnet and corrupted nuclear simulations quietly, #Pwn2Own Berlin paid $1.3M for 47 bugs, and #Bluesky got hijacked for Russian propaganda.

    Full issue 👉 infosec-mashup.santolaria.net/

    If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

  13. Dumb Ways for an Open Source Project to Die

    A good chunk of the most-depended-on open source packages are dead, and there are a lot of different ways for a project to end up that way.

    #opensource #maintainers #supplychain #pypi #python

    nesbitt.io/2026/05/19/dumb-way
    @pythonbytes @mkennedy

  14. Dumb Ways for an Open Source Project to Die

    A good chunk of the most-depended-on open source packages are dead, and there are a lot of different ways for a project to end up that way.

    #opensource #maintainers #supplychain #pypi #python

    nesbitt.io/2026/05/19/dumb-way
    @pythonbytes @mkennedy

  15. Now that the keynote is over, here are the open spaces that you can check out after the security update and the first talks after lunch. The job fair and poster sessions are also happening and I would recommend checking those out if you're interested.

    Starting at 10:00 AM:

    Room 102A: #Conda x #PyPI: Building Bridges That Actually Hold
    Room 102B: Scroll Lock Zine
    Room 102C: The Python Developers Survey: What Would YOU Ask?
    Room 202C: Financial Data with Python

    #PyConUS #PyConUSOpenSpaces

  16. Checkmarx nel mirino di TeamPCP: l’immagine Docker ufficiale di KICS trojanizzata per esfiltrare i segreti dell’infrastruttura

    Per la seconda volta in due mesi, il gruppo TeamPCP ha violato la supply chain di Checkmarx, pubblicando immagini Docker trojanizzate del security scanner KICS ed estensioni VS Code maligne capaci di rubare token cloud, credenziali GitHub e chiavi SSH. Il payload mcpAddon.js, consegnato tramite runtime Bun da un commit retrodatato, punta a trasformare ogni pipeline CI/CD in un punto di esfiltrazione.

    insicurezzadigitale.com/checkm

  17. Checkmarx nel mirino di TeamPCP: l’immagine Docker ufficiale di KICS trojanizzata per esfiltrare i segreti dell’infrastruttura

    Per la seconda volta in due mesi, il gruppo TeamPCP ha violato la supply chain di Checkmarx, pubblicando immagini Docker trojanizzate del security scanner KICS ed estensioni VS Code maligne capaci di rubare token cloud, credenziali GitHub e chiavi SSH. Il payload mcpAddon.js, consegnato tramite runtime Bun da un commit retrodatato, punta a trasformare ogni pipeline CI/CD in un punto di esfiltrazione.

    insicurezzadigitale.com/checkm

  18. Checkmarx nel mirino di TeamPCP: l’immagine Docker ufficiale di KICS trojanizzata per esfiltrare i segreti dell’infrastruttura

    Per la seconda volta in due mesi, il gruppo TeamPCP ha violato la supply chain di Checkmarx, pubblicando immagini Docker trojanizzate del security scanner KICS ed estensioni VS Code maligne capaci di rubare token cloud, credenziali GitHub e chiavi SSH. Il payload mcpAddon.js, consegnato tramite runtime Bun da un commit retrodatato, punta a trasformare ogni pipeline CI/CD in un punto di esfiltrazione.

    insicurezzadigitale.com/checkm

  19. Checkmarx nel mirino di TeamPCP: l’immagine Docker ufficiale di KICS trojanizzata per esfiltrare i segreti dell’infrastruttura

    Per la seconda volta in due mesi, il gruppo TeamPCP ha violato la supply chain di Checkmarx, pubblicando immagini Docker trojanizzate del security scanner KICS ed estensioni VS Code maligne capaci di rubare token cloud, credenziali GitHub e chiavi SSH. Il payload mcpAddon.js, consegnato tramite runtime Bun da un commit retrodatato, punta a trasformare ogni pipeline CI/CD in un punto di esfiltrazione.

    insicurezzadigitale.com/checkm

  20. Checkmarx nel mirino di TeamPCP: l’immagine Docker ufficiale di KICS trojanizzata per esfiltrare i segreti dell’infrastruttura

    Per la seconda volta in due mesi, il gruppo TeamPCP ha violato la supply chain di Checkmarx, pubblicando immagini Docker trojanizzate del security scanner KICS ed estensioni VS Code maligne capaci di rubare token cloud, credenziali GitHub e chiavi SSH. Il payload mcpAddon.js, consegnato tramite runtime Bun da un commit retrodatato, punta a trasformare ogni pipeline CI/CD in un punto di esfiltrazione.

    insicurezzadigitale.com/checkm

  21. Как опубликовать Python-пакет в PyPI с помощью Poetry

    Как создать и подготовить пакет к публикации с помощью Poetry и обойти подводные камни которые могут помешать это сделать.

    habr.com/ru/articles/1024972/

    #python #poetry #pypi #package #publish #tutorial

  22. 🐍 Oh look, another #PyPI mess! The telnyx package was hijacked, but don't worry, there's an AI-powered #security buzzword salad waiting to save us all. Just sprinkle a bit of "realtime visibility" and "continuous pentests" and voilà, instant safety illusion! 🚀🙄
    aikido.dev/blog/telnyx-pypi-co #Hijack #AI #RealtimeVisibility #ContinuousPentests #HackerNews #ngated

  23. 🐍 Oh look, another #PyPI mess! The telnyx package was hijacked, but don't worry, there's an AI-powered #security buzzword salad waiting to save us all. Just sprinkle a bit of "realtime visibility" and "continuous pentests" and voilà, instant safety illusion! 🚀🙄
    aikido.dev/blog/telnyx-pypi-co #Hijack #AI #RealtimeVisibility #ContinuousPentests #HackerNews #ngated

  24. 🐍 Oh look, another #PyPI mess! The telnyx package was hijacked, but don't worry, there's an AI-powered #security buzzword salad waiting to save us all. Just sprinkle a bit of "realtime visibility" and "continuous pentests" and voilà, instant safety illusion! 🚀🙄
    aikido.dev/blog/telnyx-pypi-co #Hijack #AI #RealtimeVisibility #ContinuousPentests #HackerNews #ngated

  25. 🐍 Oh look, another #PyPI mess! The telnyx package was hijacked, but don't worry, there's an AI-powered #security buzzword salad waiting to save us all. Just sprinkle a bit of "realtime visibility" and "continuous pentests" and voilà, instant safety illusion! 🚀🙄
    aikido.dev/blog/telnyx-pypi-co #Hijack #AI #RealtimeVisibility #ContinuousPentests #HackerNews #ngated

  26. 🐍 Oh look, another #PyPI mess! The telnyx package was hijacked, but don't worry, there's an AI-powered #security buzzword salad waiting to save us all. Just sprinkle a bit of "realtime visibility" and "continuous pentests" and voilà, instant safety illusion! 🚀🙄
    aikido.dev/blog/telnyx-pypi-co #Hijack #AI #RealtimeVisibility #ContinuousPentests #HackerNews #ngated

  27. 🚀 Mein erstes Paket ist live! 🛰️
    Ich habe gerade toybox-calc veröffentlicht – ein kleines CLI-Tool für Funkamateure, um die optimale Länge des Strahlers für die Comet HFJ-350M (Toy Box) Antenne zu berechnen.

    Jetzt verfügbar auf:
    📦 PyPI: pip install toybox-calc
    🏔️ AUR (Arch Linux): pikaur -S python-toybox-calc
    Inklusive i18n Support (DE/EN/JA) und ANSI-Farben fürs Terminal. Vy 73 de DO3EET! 📻

    #HamRadio #Amateurfunk #Python #ArchLinux #AUR #PyPI #OpenSource #HFJ350M #ToyBox #POTA #SOTA #Linux

  28. 🚀 Mein erstes Paket ist live! 🛰️
    Ich habe gerade toybox-calc veröffentlicht – ein kleines CLI-Tool für Funkamateure, um die optimale Länge des Strahlers für die Comet HFJ-350M (Toy Box) Antenne zu berechnen.

    Jetzt verfügbar auf:
    📦 PyPI: pip install toybox-calc
    🏔️ AUR (Arch Linux): pikaur -S python-toybox-calc
    Inklusive i18n Support (DE/EN/JA) und ANSI-Farben fürs Terminal. Vy 73 de DO3EET! 📻

    #HamRadio #Amateurfunk #Python #ArchLinux #AUR #PyPI #OpenSource #HFJ350M #ToyBox #POTA #SOTA #Linux

  29. 🚀 Mein erstes Paket ist live! 🛰️
    Ich habe gerade toybox-calc veröffentlicht – ein kleines CLI-Tool für Funkamateure, um die optimale Länge des Strahlers für die Comet HFJ-350M (Toy Box) Antenne zu berechnen.

    Jetzt verfügbar auf:
    📦 PyPI: pip install toybox-calc
    🏔️ AUR (Arch Linux): pikaur -S python-toybox-calc
    Inklusive i18n Support (DE/EN/JA) und ANSI-Farben fürs Terminal. Vy 73 de DO3EET! 📻

    #HamRadio #Amateurfunk #Python #ArchLinux #AUR #PyPI #OpenSource #HFJ350M #ToyBox #POTA #SOTA #Linux

  30. Mein immer-noch-nicht-fertiges Python-Programm kann jetzt richtige Releases, so mit wheel und git tag und so.

    Ich befehle "set -l release_name Trains; and just release patch" und es macht den Rest, so dass am Ende ein Release entsteht (z.b. sowas code.c-base.org/infuanfu/teilc) und auch auf den Package Index hochgelordet wird (code.c-base.org/infuanfu/-/pac)

    Hier mein release script: code.c-base.org/infuanfu/teilc

    #python #textual #release #teilchen #package #pypi #just #uv

    --
    aus dem #ICE1006 gesendet

  31. Mein immer-noch-nicht-fertiges Python-Programm kann jetzt richtige Releases, so mit wheel und git tag und so.

    Ich befehle "set -l release_name Trains; and just release patch" und es macht den Rest, so dass am Ende ein Release entsteht (z.b. sowas code.c-base.org/infuanfu/teilc) und auch auf den Package Index hochgelordet wird (code.c-base.org/infuanfu/-/pac)

    Hier mein release script: code.c-base.org/infuanfu/teilc

    #python #textual #release #teilchen #package #pypi #just #uv

    --
    aus dem #ICE1006 gesendet

  32. Another great #FOSDEM talk from Michael Winser at @openssf / #AlphaOmega about the terrible economics of package registries like #NPM #maven #PyPi #RubyGems #crates

    fosdem.org/2026/schedule/event

    Some charts from different registries are at go.xwind.io/registry-research-

    The slide below is a take on some of the common "solutions" that people come up with for funding registries (also applicable to non-registry products with large numbers of downloads) and what might happen if you choose them

  33. Another great talk from Michael Winser at @openssf / about the terrible economics of package registries like

    fosdem.org/2026/schedule/event

    Some charts from different registries are at go.xwind.io/registry-research-

    The slide below is a take on some of the common "solutions" that people come up with for funding registries (also applicable to non-registry products with large numbers of downloads) and what might happen if you choose them

  34. Another great #FOSDEM talk from Michael Winser at @openssf / #AlphaOmega about the terrible economics of package registries like #NPM #maven #PyPi #RubyGems #crates

    fosdem.org/2026/schedule/event

    Some charts from different registries are at go.xwind.io/registry-research-

    The slide below is a take on some of the common "solutions" that people come up with for funding registries (also applicable to non-registry products with large numbers of downloads) and what might happen if you choose them

  35. Another great #FOSDEM talk from Michael Winser at @openssf / #AlphaOmega about the terrible economics of package registries like #NPM #maven #PyPi #RubyGems #crates

    fosdem.org/2026/schedule/event

    Some charts from different registries are at go.xwind.io/registry-research-

    The slide below is a take on some of the common "solutions" that people come up with for funding registries (also applicable to non-registry products with large numbers of downloads) and what might happen if you choose them

  36. Another great #FOSDEM talk from Michael Winser at @openssf / #AlphaOmega about the terrible economics of package registries like #NPM #maven #PyPi #RubyGems #crates

    fosdem.org/2026/schedule/event

    Some charts from different registries are at go.xwind.io/registry-research-

    The slide below is a take on some of the common "solutions" that people come up with for funding registries (also applicable to non-registry products with large numbers of downloads) and what might happen if you choose them

  37. Malicious updates were published to official #dYdX trading packages on #npm and #PyPI, delivering a wallet stealer and remote access malware.

    Malware was published via compromised maintainer accounts:
    #SoftwareSupplyChainSecurity
    👇
    thehackernews.com/2026/02/comp

  38. Malicious updates were published to official #dYdX trading packages on #npm and #PyPI, delivering a wallet stealer and remote access malware.

    Malware was published via compromised maintainer accounts:
    #SoftwareSupplyChainSecurity
    👇
    thehackernews.com/2026/02/comp

  39. Malicious updates were published to official #dYdX trading packages on #npm and #PyPI, delivering a wallet stealer and remote access malware.

    Malware was published via compromised maintainer accounts:
    #SoftwareSupplyChainSecurity
    👇
    thehackernews.com/2026/02/comp

  40. Malicious updates were published to official #dYdX trading packages on #npm and #PyPI, delivering a wallet stealer and remote access malware.

    Malware was published via compromised maintainer accounts:
    #SoftwareSupplyChainSecurity
    👇
    thehackernews.com/2026/02/comp

  41. Malicious updates were published to official #dYdX trading packages on #npm and #PyPI, delivering a wallet stealer and remote access malware.

    Malware was published via compromised maintainer accounts:
    #SoftwareSupplyChainSecurity
    👇
    thehackernews.com/2026/02/comp

  42. Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

    1. --export-png images lets you export images of the analysis

    2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

    3. couple of small bug fixes and debugging related command line options

    You can try it on the web here: yaratoolkit.securitybreak.io/
    (I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

    - Github: github.com/michelcrypt4d4mus/y
    - Pypi: pypi.org/project/yaralyzer/
    - on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

    #ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

  43. Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

    1. --export-png images lets you export images of the analysis

    2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

    3. couple of small bug fixes and debugging related command line options

    You can try it on the web here: yaratoolkit.securitybreak.io/
    (I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

    - Github: github.com/michelcrypt4d4mus/y
    - Pypi: pypi.org/project/yaralyzer/
    - on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

    #ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

  44. Python Package Guru by Fabrizio Damicelli

    pypkg.guru

    search over #PyPI #python #packages
    faster than on pypi.org and interactively

    discover packages based on their capabilities (eg, try out "fast dataframe")

    #neurodon #neuroscience #compsci #scipy

  45. Python Package Guru by Fabrizio Damicelli

    pypkg.guru

    search over #PyPI #python #packages
    faster than on pypi.org and interactively

    discover packages based on their capabilities (eg, try out "fast dataframe")

    #neurodon #neuroscience #compsci #scipy