News

PyPI invalidates tokens stolen in GhostAction supply chain attack

The Python Software Foundation team has invalidated all PyPI tokens stolen in the GhostAction supply chain attack in early ...
IEEE

A Needle is an Outlier in a Haystack: Hunting Malicious PyPI Packages with Code Clustering

Abstract: As the most popular Python software repository, PyPI has become an indispensable part of the Python ecosystem. Regrettably, the open nature of PyPI exposes end-users to substantial security ...
bitnewsbot

Malicious PyPI Packages Uncovered: Supply Chain Risk for Python

Cybersecurity researchers have found harmful software in the official Python Package Index (PyPI) and npm package repositories, putting software supply chains at risk. The packages, called termncolor ...
CSOonline

Malicious PyPI package targets Chimera users to steal AWS tokens, CI/CD secrets

“Chimera-sandbox-extensions” exploit highlights rising risks of open-source package abuse, prompting calls for stricter dependency controls and DGA malware detection. A malicious Python package posing ...
GitHub

Switch to trusted publishing for package upload to PyPI in CI

Trusted publishing (with attestations) means I can know for certain that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same ...
Hosted on MSN

Instagram and TikTok accounts are being stolen using malicious PyPI packages

Security researchers found three malicious PyPI packages The packages had around 7,000 downloads They were designed to check for active email accounts Security researchers have found some of the tools ...
The Hacker News

Malicious PyPI Package Targets MEXC Trading API to Steal Credentials and Redirect Orders

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange ...
cryptonews

New Malicious Campaign Targets Atomic and Exodus Wallets

The researchers found “a number of campaigns” in recent weeks using a malicious package, pdf-to-office. According to the report, threat actors “have been targeting the cryptocurrency community hard ...
InfoWorld

3 takeaways from the Ultralytics AI Python library hack

When attackers compromised Ultralytics YOLO, a popular real-time object detection machine-learning package for Python, most assumed the Python Package Index, or PyPI, must be the point of failure.
IEEE

1+1>2: Integrating Deep Code Behaviors with Metadata Features for Malicious PyPI Package Detection

Abstract: PyPI, the official package registry for Python, has seen a surge in the number of malicious package uploads in recent years. Prior studies have demonstrated the effectiveness of ...
Cyber Defense Magazine

GitGuardian Researchers Find Thousands of Leaked Secrets in PyPI (Python Package Index) Packages

The modern world of DevOps means relying on our code connecting to outside services and components imported at run time. All of this access is predicated on secrets, the credentials such as API keys ...