SFBA.social

5 posts4 participants0 posts today

Out of Control :laravel: 🇨🇦PyPi approved our Org! It only took just shy of 18 months. Hopefully this means the backlog is now getting sorted for everyone. <a href="https://phpc.social/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> <a href="https://phpc.social/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a>

guidoiaquintiIf you are scratching your head like me for random and weird CI/CD issues related to PyPI for the past hour: you’re not alone. PyPI is experiencing intermittent issues HTTP 5xx responses as well as occasional "No matching distribution found" errors using pip.<a href="https://mastodon.online/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://mastodon.online/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a>

The New Oil<a href="https://mastodon.thenewoil.org/tags/Carding" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Carding</a> tool abusing <a href="https://mastodon.thenewoil.org/tags/WooCommerce" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WooCommerce</a> API downloaded 34K times on <a href="https://mastodon.thenewoil.org/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a><a href="https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/</a><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a>

The New Oil<a href="https://mastodon.thenewoil.org/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a>'s <a href="https://mastodon.thenewoil.org/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> Finally Gets Closer to Adding 'Organization Accounts' and SBOMs<a href="https://developers.slashdot.org/story/25/04/05/0515241/pythons-pypi-finally-gets-closer-to-adding-organization-accounts-and-sboms" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://developers.slashdot.org/story/25/04/05/0515241/pythons-pypi-finally-gets-closer-to-adding-organization-accounts-and-sboms</a><a href="https://mastodon.thenewoil.org/tags/FOSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FOSS</a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://mastodon.thenewoil.org/tags/SBoM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SBoM</a>

R.L. Dane :Debian: :OpenBSD: 🍵I'm not responding to anything that has happened yet today, but given the past couple weeks, I'm thinking I should just add <code>pipx upgrade yt-dlp</code> to a cronjob on all my computers now. XD(Like, every third day or so, to be kind to the <a href="https://polymaths.social/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> servers <code>^__^</code>)<a href="https://polymaths.social/tags/youtube" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Youtube</a>'s war against its own users is getting nuts.

FeohMan, I wish we had the equivalent of Jon Gjengset's outstanding "De-crusting The $X Crate" <a href="https://oldbytes.space/tags/rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#rust</a> videos for <a href="https://oldbytes.space/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a> <a href="https://oldbytes.space/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> packages.The format is beautiful. Let's peel back the covers on some code library we all use and REALLY understand what's going on under the covers.Am I missing out? Is there somebody out there doing work like this? Please throw me a line if you're in the know :) Thanks!

Karl Voit :emacs: :orgmode:<a href="https://graz.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a>: Malicious <a href="https://graz.social/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> Packages Stole <a href="https://graz.social/tags/Cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cloud</a> <a href="https://graz.social/tags/Tokens" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Tokens</a>—Over 14,100 Downloads Before Removal <a href="https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html</a><a href="https://graz.social/tags/complexity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#complexity</a> <a href="https://graz.social/tags/dependencies" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependencies</a> <a href="https://graz.social/tags/programming" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#programming</a> <a href="https://graz.social/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a>

Hugo van Kemenade<a href="https://infosec.exchange/@sysosmaster" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@sysosmaster</a> <a href="https://infosec.exchange/@0x40k" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@0x40k</a> Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:<a href="https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl</a>Downstream verification for installers such as pip is the next step:<a href="https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/</a><a href="https://mastodon.social/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a> <a href="https://mastodon.social/tags/PEP740" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PEP740</a> <a href="https://mastodon.social/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> <a href="https://mastodon.social/tags/TrustedPublishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TrustedPublishing</a>

Tommi Nieminen<a href="https://mastodontti.fi/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#2FA</a>-siirto etenee: <a href="https://mastodontti.fi/tags/Firefox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Firefox</a> siirretty <a href="https://mastodontti.fi/tags/googleauthenticator" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#googleauthenticator</a>'ista <a href="https://mastodontti.fi/tags/Aegis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Aegis</a>'iin, <a href="https://mastodontti.fi/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> Aegisiin ja <a href="https://mastodontti.fi/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Yubikey</a>'hin. <a href="https://mastodontti.fi/tags/atkjuttuja" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#atkjuttuja</a>

mgorny-nyan (on) :autism:🙀🚂🐧Są dni, kiedy jestem naprawdę już zmęczony podejściem autorów oprogramowania do twórców dystrybucji. Nie chodzi tylko o niewdzięczność — to wręcz ignorowanie ogromu pracy, jaki wkładamy, żeby to wszystko trzymało się kupy. A jakby nie patrzeć, to cały czas polegają na naszej pracy.Może nie używają <a href="https://pol.social/tags/Gentoo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Gentoo</a>. Może ich distro to <a href="https://pol.social/tags/Debian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Debian</a>, <a href="https://pol.social/tags/Fedora" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fedora</a>, <a href="https://pol.social/tags/Arch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Arch</a>, jakaś ich pochodna, albo coś zupełnie innego. Czy to znaczy, że wysiłek wkładany przez Gentoo się nie liczy? A co, jeżeli ten sam problem spotyka twórców dystrybucji, używanej przez nich? A jeżeli nawet nie, to czy autorzy oprogramowania, którzy akurat używają Gentoo, powinni teraz być wrodzy wobec innych dystrybucji?Może nie zgadzają się z tą czy inną, naszą zasadą. Może nawet używają Gentoo, ale nie zgadzają się z tym, w jakim kierunku zmierza. No ale cóż, nie są sami na świecie. Staramy się najlepiej jak możemy, przy dostępnych nam środkach, dla wszystkich użytkowników Gentoo. Nie twierdzę, że zawsze mamy rację, ale wypadałoby mieć naprawdę dobry powód, żeby to wszystko tak po prostu negować.Może wcale nie używają paczek Pythona z dystrybucji, może nienawidzą tej koncepcji samej w sobie i życzą sobie, by zrównano ją z ziemią, a każdy użytkownik brał paczki wprost z <a href="https://pol.social/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a>, albo innego ekosystemu. No ale nie zgadniecie — są jednak ludzi, którym te nasze paczki pomagają, i którzy chcą ich używać. I są projekty, które nie są w stanie działać w innym ekosystemie, bo potrzebują lepszego zarządzania pakietami. A my jesteśmy tu właśnie dla nich.No więc, spoko. Może nie używają dystrybucji, nad którą ja pracuję, ani nawet żadnych projektów, przy których pracuję. Może nie zgadzają się z żadnymi moimi pomysłami, może cała moja praca jest dla nich bez wartości. Może nigdy z niej nie skorzystają. Ani ich znajomi, rodziny, ani nikt, kto ich mógłby choć trochę obchodzić. Ale mimo to wszystko, wciąż jest wielu ludzi, którzy potrzebują naszej pracy — więc za kogo mają się ci właśnie autorzy, żeby pokazywać im wszystkim digitus impudicus?<a href="https://pol.social/tags/WolneOprogramowanie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WolneOprogramowanie</a> <a href="https://pol.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a>

mgorny-nyan (he) :autism:🙀🚂🐧Some days I'm so tired of upstream developers being so adverse to downstream maintainers. Like, it's not just the ungratefulness — it's like completely neglecting the tons of work we're putting into keeping things working. And they literally rely on our work (unless they're running their own distribution).Yeah, sure, maybe you don't use <a href="https://social.treehouse.systems/tags/Gentoo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Gentoo</a>. Maybe you use <a href="https://social.treehouse.systems/tags/Debian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Debian</a>, or <a href="https://social.treehouse.systems/tags/Fedora" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fedora</a>, or <a href="https://social.treehouse.systems/tags/Arch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Arch</a>, or their derivates, or some other independent distribution. Does that mean that Gentoo work is insignificant? What if the developers of your distribution are facing exactly the same problem? And even if they weren't, does that mean that upstreams using Gentoo should become adverse to the distribution you're using?Yeah, sure, maybe you don't agree with one of our principles or another. Maybe you even are a Gentoo user, yet disagree with how Gentoo works. Well, even so, you're not the only Gentoo user out there. We're doing the best we can with what we have, and we're trying to make sure things work best for everyone in Gentoo. I'm not saying we're always right, but you really should have a good reason to despise all the work we've been doing.Yeah, sure, maybe you don't use distribution <a href="https://social.treehouse.systems/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> packaging at all, maybe you despise it entirely and wish it would all be burned down to the ground in favor of everyone using wheels from <a href="https://social.treehouse.systems/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a>, or whatever. But guess what — there are people who actually find it advantageous, and benefit from it, and want to use it. And there are projects that simply don't work in that ecosystem at all, and need a better package manager. And we're here, for them.So, yeah, sure. Maybe you don't use the distribution I'm working on, nor any projects I'm working on. Maybe you disagree with me on every single principle, and don't see any purpose in any of my work. Maybe you will never use any of it. Maybe your friends or your family, or anyone you know or care about will even benefit from any of it. Still, there's a lot of people who do and who need this, and who are you to give them the digitus impudicus?<a href="https://social.treehouse.systems/tags/FreeSoftware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeSoftware</a>

Sam Stepanyan :verified: 🐘<a href="https://infosec.exchange/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a>: 20 Malicious Python PyPI Packages Stole Cloud Tokens - Over 14,100 Downloads Before Removal: <a href="https://infosec.exchange/tags/SoftwareSupplyChainSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SoftwareSupplyChainSecurity</a> 👇 <a href="https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html</a>

Anonymous 🐈️🐾☕🍵🏴🇵🇸 :af:<a href="https://kolektiva.social/tags/Hackers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Hackers</a> are poisoning <a href="https://kolektiva.social/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> again. Devs, check your dependencies NOW!Cybercriminals planted 20 fake Python packages on PyPI—stealing cloud access tokens from AWS, Alibaba Cloud, and Tencent Cloud. These packages, disguised as "time" utilities, racked up 14,100+ downloads before removal.👀 One even snuck into a GitHub project with 519 stars and 42 forks.<a href="https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html</a>

0x40kHey everyone, does this sound familiar? You install a Python package and suddenly feel like you've been robbed blind? 😂Right now, there's a nasty campaign going on targeting PyPI, and it's misusing "time" utilities to swipe cloud credentials. Get this – it's already had over 14,000 downloads! The malware hides in packages that are *supposed* to just check the time. But instead, they're snatching cloud keys (AWS, Azure, the works) and sending them straight to the bad guys.Honestly, it reminds me of a pentest we did where we *almost* missed a similar camouflage trick. Seriously creepy! So, heads up: Double-check your dependencies, run those scans, review your cloud configurations, and above all, be suspicious! And hey, just a friendly reminder: automated scans are no substitute for a manual pentest!Have you run into anything similar? What tools are you using to beef up your security? Let's chat about it!<a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/pentest" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pentest</a> <a href="https://infosec.exchange/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a> <a href="https://infosec.exchange/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/cloudsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cloudsecurity</a>

Wagtail👀 uv users, what was going on in July-August 2024 that made you all download Wagtail 30x more than usual?! monthly downloads from uv jumped from 15k to 500k <a href="https://fosstodon.org/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://fosstodon.org/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a>

Andrii Kuznietsov🐍Репозиторій <a href="https://social.kyiv.dcomm.net.ua/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> запроваджує нові умови обслуговування для облікових записів. Відтепер з компаній, які розміщують свої проекти на PyPI, стягується плата в якості комісії та «за послуги підтримки».Представник <a href="https://social.kyiv.dcomm.net.ua/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> Software Foundation І Дурбін пояснив, що нові умови для платних облікових записів поки перебувають в бета-версії. Після завершення бета-тестування вартість платного акаунту PyPi становитиме $5 за користувача на місяць. <a href="https://highload.tech/uk/najbilshyj-katalog-python-paketiv-pypi-zaprovadzhuye-platni-poslugy/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://highload.tech/uk/najbilshyj-katalog-python-paketiv-pypi-zaprovadzhuye-platni-poslugy/</a>

The New Oil<a href="https://mastodon.thenewoil.org/tags/Ethereum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ethereum</a> private key stealer on <a href="https://mastodon.thenewoil.org/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> downloaded over 1,000 times<a href="https://www.bleepingcomputer.com/news/security/ethereum-private-key-stealer-on-pypi-downloaded-over-1-000-times/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/ethereum-private-key-stealer-on-pypi-downloaded-over-1-000-times/</a><a href="https://mastodon.thenewoil.org/tags/crypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#crypto</a> <a href="https://mastodon.thenewoil.org/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a>

FeohStruggling through publishing my first self authored <a href="https://oldbytes.space/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a> package to <a href="https://oldbytes.space/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> My pyproject.toml fu is weak :) For now!

LavX NewsMalicious PyPI Package Steals Ethereum Keys: A Wake-Up Call for Blockchain DevelopersA newly discovered malicious package on PyPI has raised alarms in the blockchain development community, stealing Ethereum private keys through deceptive wallet creation functions. With over a thousand...<a href="https://news.lavx.hu/article/malicious-pypi-package-steals-ethereum-keys-a-wake-up-call-for-blockchain-developers" rel="nofollow noopener noreferrer" target="_blank">https://news.lavx.hu/article/malicious-pypi-package-steals-ethereum-keys-a-wake-up-call-for-blockchain-developers</a><a href="https://mastodon.cloud/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#news</a> <a href="https://mastodon.cloud/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tech</a> <a href="https://mastodon.cloud/tags/BlockchainSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlockchainSecurity</a> <a href="https://mastodon.cloud/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> <a href="https://mastodon.cloud/tags/Ethereum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ethereum</a>

Varbin :arctic_fox: :gay_furr:With this “trusted publishing” uploading packages from GitHub to PyPI really became easy… Just enter project details and workflow filename and poof it works. No API key management any more! PyPI even links all binaries to the commits and even verifies the project URLs. Together with setuptools-scm, new releases are just created by tagging them.It leaves a sour feeling that this is all proprietary though… You can't configure it for your own CI/CD platform for example.<a href="https://infosec.exchange/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a> <a href="https://infosec.exchange/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> <a href="https://infosec.exchange/tags/github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#github</a> <a href="https://infosec.exchange/tags/supplychainsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#supplychainsecurity</a>

Recent searches

Search options

Administered by:

Server stats:

#pypi