Mastodon

6 posts6 participants1 post today

LavX NewsBoosting PyPI's Test Suite: An 81% Performance ImprovementTrail of Bits has successfully optimized the test suite for PyPI's Warehouse, achieving a remarkable 81% reduction in execution time. This transformation not only enhances developer efficiency but als...<a href="https://news.lavx.hu/article/boosting-pypi-s-test-suite-an-81-performance-improvement" rel="nofollow noopener noreferrer" target="_blank">https://news.lavx.hu/article/boosting-pypi-s-test-suite-an-81-performance-improvement</a><a href="https://mastodon.cloud/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#news</a> <a href="https://mastodon.cloud/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tech</a> <a href="https://mastodon.cloud/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> <a href="https://mastodon.cloud/tags/pytest" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pytest</a> <a href="https://mastodon.cloud/tags/sysmonitoring" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sysmonitoring</a>

LavX NewsExploiting Trust: Malicious PyPI Packages Use Gmail and WebSockets for Cyber HijackingA recent discovery of seven malicious packages on PyPI highlights a concerning trend in software supply chain attacks, leveraging trusted services like Gmail for data exfiltration. With one package do...<a href="https://news.lavx.hu/article/exploiting-trust-malicious-pypi-packages-use-gmail-and-websockets-for-cyber-hijacking" rel="nofollow noopener noreferrer" target="_blank">https://news.lavx.hu/article/exploiting-trust-malicious-pypi-packages-use-gmail-and-websockets-for-cyber-hijacking</a><a href="https://mastodon.cloud/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#news</a> <a href="https://mastodon.cloud/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tech</a> <a href="https://mastodon.cloud/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybersecurity</a> <a href="https://mastodon.cloud/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> <a href="https://mastodon.cloud/tags/WebSockets" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebSockets</a>

The DefendOps DiariesTrusted platforms can become double agents. Cybercriminals are leveraging Gmail protocols to smuggle malicious packages through PyPI—an unsettling wake-up call for our cloud security. Are we really safe?<a href="https://thedefendopsdiaries.com/the-evolving-threat-landscape-pypi-and-cybersecurity-challenges/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thedefendopsdiaries.com/the-evolving-threat-landscape-pypi-and-cybersecurity-challenges/</a><a href="https://infosec.exchange/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/cloudsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cloudsecurity</a> <a href="https://infosec.exchange/tags/supplychainattack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#supplychainattack</a> <a href="https://infosec.exchange/tags/trustedprotocols" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#trustedprotocols</a>

Attractive NuisanceSo <a href="https://tech.lgbt/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> people what's your favourite way to check for vulnerabilities in your <a href="https://tech.lgbt/tags/PyPi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPi</a> supply chain?My app lives inside a <code>pipenv</code> and everything's installed in that, from <a href="https://tech.lgbt/tags/Django" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Django</a> to <a href="https://tech.lgbt/tags/gunicorn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#gunicorn</a>.

:rss: DevelopersIOAWS Glue for Spark のジョブから、AWS CodeArtifact を経由して PyPI のライブラリをインストールする <a href="https://dev.classmethod.jp/articles/aws-glue-for-spark-aws-codeartifact-pypi/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://dev.classmethod.jp/articles/aws-glue-for-spark-aws-codeartifact-pypi/</a><a href="https://rss-mstdn.studiofreesia.com/tags/dev_classmethod" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dev_classmethod</a> <a href="https://rss-mstdn.studiofreesia.com/tags/AWS_Glue" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AWS_Glue</a> <a href="https://rss-mstdn.studiofreesia.com/tags/AWS_CodeArtifact" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AWS_CodeArtifact</a> <a href="https://rss-mstdn.studiofreesia.com/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> <a href="https://rss-mstdn.studiofreesia.com/tags/Spark" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Spark</a> <a href="https://rss-mstdn.studiofreesia.com/tags/PySpark" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PySpark</a>

phildiniThe fine tradition of "releasing a package to <a href="https://wandering.shop/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> for the bit" continues at <a href="https://wandering.shop/tags/NBPy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NBPy</a> thanks to <a href="https://toots.n7.gg/@amethyst" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@amethyst</a> <a href="https://pypi.org/project/do-while/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://pypi.org/project/do-while/</a>

Seth LarsonNew data about packages on <a href="https://fosstodon.org/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a>: <a href="https://github.com/sethmlarson/pypi-data/releases/tag/2025.04.25" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/sethmlarson/pypi-data/releases/tag/2025.04.25</a>

Stylusdear <a href="https://social.afront.org/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a> <a href="https://social.afront.org/tags/lazyweb" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lazyweb</a> <a href="https://social.afront.org/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> Should I bother listing specific python versions in classifiers, like <code>Programming Language :: Python :: 3.13"</code> when there's also <code>requires-python</code> in <code>pyproject.toml</code>?Also should I take the trouble of specifying <code>Python :: 3 :: Only</code> in 2025?

Sarah AbderemaneWhile preparing my talk, I found some (small) accessibility issues in pypi warehouse project but seems like only maintainers can raise issues and I don't know what to do now, other type of issues doesn't seems to fit. Is there someone here I can talk to about that and eventually help for the fix? <a href="https://mastodon.social/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a>

Christian Lawson-PerfectI'm trying to publish a <a href="https://mathstodon.xyz/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> package (chirun) on <a href="https://mathstodon.xyz/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a>. It depends on a fork of another package that has some bug fixes that I'm waiting to be merged into the original package. PyPI doesn't like me specifying a git repo address as a dependency.Do I need to publish the fork on PyPI in order to use it as a dependency in chirun?

Strypey"Users of PyPI and package managers in general should be checking that the package they are installing is an existing well-known package, that there are no typos in the name, and that the content of the package has been reviewed before installation."<a href="https://mastodon.nzoss.nz/tags/MikeFiedler" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MikeFiedler</a>, Safety & Security Engineer, PyPI, 2025<a href="https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/</a>Or, people could take responsibility for what they host on their code and package repositories, and stop hosting and shipping malware. How about that?<a href="https://mastodon.nzoss.nz/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> <a href="https://mastodon.nzoss.nz/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a>

TelegramFrom PyPI to the Dark Marketplace: How a Malicious Package Fuels the Sale of Telegram Identities ... <a href="https://www.imperva.com/blog/from-pypi-to-the-dark-marketplace-how-a-malicious-package-fuels-sale-of-telegram-identities/" rel="nofollow noopener noreferrer" target="_blank">https://www.imperva.com/blog/from-pypi-to-the-dark-marketplace-how-a-malicious-package-fuels-sale-of-telegram-identities/</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Imperva" target="_blank">#Imperva</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Threat" target="_blank">#Threat</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Research" target="_blank">#Research</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Applications" target="_blank">#Applications</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Imperva" target="_blank">#Imperva</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Pypi" target="_blank">#Pypi</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/session" target="_blank">#session</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/hijacking" target="_blank">#hijacking</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/tdata" target="_blank">#tdata</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/telegram" target="_blank">#telegram</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Thales" target="_blank">#Thales</a> <a href="https://awakari.com/pub-msg.html?id=NSgJXrFbvYYLvN7tjMk08NPxRa4" rel="nofollow noopener noreferrer" target="_blank">Event Attributes</a>

2rZiKKbOU3nTafniR2qMMSE0gwZFrom PyPI to the Dark Marketplace: How a Malicious Package Fuels the Sale of Telegram Identities ... <a href="https://www.imperva.com/blog/from-pypi-to-the-dark-marketplace-how-a-malicious-package-fuels-the-sale-of-telegram-identities/" rel="nofollow noopener noreferrer" target="_blank">https://www.imperva.com/blog/from-pypi-to-the-dark-marketplace-how-a-malicious-package-fuels-the-sale-of-telegram-identities/</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Imperva" target="_blank">#Imperva</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Threat" target="_blank">#Threat</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Research" target="_blank">#Research</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Applications" target="_blank">#Applications</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Imperva" target="_blank">#Imperva</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Pypi" target="_blank">#Pypi</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/session" target="_blank">#session</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/hijacking" target="_blank">#hijacking</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/tdata" target="_blank">#tdata</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/telegram" target="_blank">#telegram</a> <a rel="nofollow noopener noreferrer" class="mention hashtag" href="https://mastodon.social/tags/Thales" target="_blank">#Thales</a> <a href="https://awakari.com/pub-msg.html?id=7LeL3StJoewZw7iWOiyErs0BwrQ" rel="nofollow noopener noreferrer" target="_blank">Event Attributes</a>

OTX BotMalicious PyPi Package Detected Stealing Crypto TokensA malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and steals crypto tokens. The package overrides certain API functions, redirecting trading requests to a malicious server at greentreeone.com instead of the legitimate MEXC platform. It uses obfuscation techniques to hide its malicious code and tricks users into believing their orders are being processed normally. The attackers can potentially steal API keys, secrets, and other sensitive information used for crypto trading. Users are advised to revoke any compromised tokens and remove the malicious package immediately.Pulse ID: 67ffc3f9b1d4fcf877bf0734 Pulse Link: <a href="https://otx.alienvault.com/pulse/67ffc3f9b1d4fcf877bf0734" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67ffc3f9b1d4fcf877bf0734</a> Pulse Author: AlienVault Created: 2025-04-16 14:51:37Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/cryptocurrency" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cryptocurrency</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

Habr[Перевод] Когда ИИ становится троянским конем: 43% «галлюцинированных» имен пакетов регулярно повторяются в сгенерированном кодеAI-помощники регулярно "галлюцинируют" несуществующие пакеты, а злоумышленники используют эти имена для размещения вредоносного кода в репозиториях. Исследования показывают, что 5.2% рекомендаций пакетов от коммерческих моделей не существуют, а для open-source моделей этот показатель достигает 21.7%. Эта техника, названная "слопсквоттингом" (slopsquatting), особенно опасна в эпоху "vibe coding", когда разработчики безоговорочно доверяют рекомендациям AI.<a href="https://habr.com/ru/articles/901198/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://habr.com/ru/articles/901198/</a><a href="https://zhub.link/tags/%D0%B8%D1%81%D0%BA%D1%83%D1%81%D1%81%D1%82%D0%B2%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9_%D0%B8%D0%BD%D1%82%D0%B5%D0%BB%D0%BB%D0%B5%D0%BA%D1%82" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#искусственный_интеллект</a> <a href="https://zhub.link/tags/%D0%BA%D0%B8%D0%B1%D0%B5%D1%80%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#кибербезопасность</a> <a href="https://zhub.link/tags/slopsquatting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#slopsquatting</a> <a href="https://zhub.link/tags/%D1%80%D0%B0%D0%B7%D1%80%D0%B0%D0%B1%D0%BE%D1%82%D0%BA%D0%B0" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#разработка</a> <a href="https://zhub.link/tags/%D0%B3%D0%B0%D0%BB%D0%BB%D1%8E%D1%86%D0%B8%D0%BD%D0%B0%D1%86%D0%B8%D0%B8_%D0%B8%D0%B8" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#галлюцинации_ии</a> <a href="https://zhub.link/tags/npm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#npm</a> <a href="https://zhub.link/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> <a href="https://zhub.link/tags/vibecoding" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#vibecoding</a>

Antonio J. DelgadoThe GREATEST, most TREMENDOUS Python package that makes importing great again! <a href="https://pypi.org/project/tariff/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://pypi.org/project/tariff/</a> <a href="https://eu.mastodon.green/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://eu.mastodon.green/tags/USPOL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#USPOL</a> <a href="https://eu.mastodon.green/tags/PYPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PYPI</a>

Out of Control :laravel: 🇨🇦PyPi approved our Org! It only took just shy of 18 months. Hopefully this means the backlog is now getting sorted for everyone. <a href="https://phpc.social/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a> <a href="https://phpc.social/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#python</a>

guidoiaquintiIf you are scratching your head like me for random and weird CI/CD issues related to PyPI for the past hour: you’re not alone. PyPI is experiencing intermittent issues HTTP 5xx responses as well as occasional "No matching distribution found" errors using pip.<a href="https://mastodon.online/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://mastodon.online/tags/pypi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pypi</a>

The New Oil<a href="https://mastodon.thenewoil.org/tags/Carding" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Carding</a> tool abusing <a href="https://mastodon.thenewoil.org/tags/WooCommerce" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WooCommerce</a> API downloaded 34K times on <a href="https://mastodon.thenewoil.org/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a><a href="https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/</a><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a>

The New Oil<a href="https://mastodon.thenewoil.org/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a>'s <a href="https://mastodon.thenewoil.org/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPI</a> Finally Gets Closer to Adding 'Organization Accounts' and SBOMs<a href="https://developers.slashdot.org/story/25/04/05/0515241/pythons-pypi-finally-gets-closer-to-adding-organization-accounts-and-sboms" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://developers.slashdot.org/story/25/04/05/0515241/pythons-pypi-finally-gets-closer-to-adding-organization-accounts-and-sboms</a><a href="https://mastodon.thenewoil.org/tags/FOSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FOSS</a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://mastodon.thenewoil.org/tags/SBoM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SBoM</a>

Recent searches

Search options

Administered by:

Server stats:

#pypi