#PyPI
SSH keys stolen by stream of malicious PyPI and NPM packages
https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of-malicious-pypi-and-npm-packages/
#ycombinator #computers #windows #linux #mac #support #tech_support #spyware #malware #virus #security #Coding #Information_Stealer #Information_stealing_malware #npm #Package_Manager #Packages #PyPI #Repository #virus_removal #malware_removal #computer_help #technical_support
#CONDA and #pip (at least the “wheels” part of it) are essentially “binary distros”: they focus on distributing pre-built binaries without concern on how they were built, nor whether they can actually be built from source. Without a conscious effort to require reproducible builds so that anyone can independently verify binaries, these tools are doomed to be not only unsafe but also opaque—and there are to date no signs of CONDA and #PyPI /pip moving in that direction.
#guix
https://hpc.guix.info/blog/2021/09/whats-in-a-package/
https://nitter.net/benbovy/status/1440027976364552199#m
Published my first PyPI package using Trusted Publishers 🥳
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #46/2023 is out! It includes the following and much more:
➝ 🔓 🇯🇵 #Toyota confirms breach after Medusa #ransomware threatens to leak data
➝ 🇺🇸 😂 Ransomware gang files #SEC complaint over victim’s undisclosed #breach
➝ 🔓 🪶 Attackers claim Plume Design, Inc data breach
➝ 🇺🇸 💰 #ICBC paid ransom after hack that disrupted markets, #cybercriminals say
➝ 🔓 #Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
➝ 🔓 ✈️ Hackers swipe Booking.com, damage from attack is global
➝ 🇷🇺 🇺🇦 Russian #CyberEspionage Group Deploys #LitterDrifter USB #Worm in Targeted Attacks
➝ 🇮🇱 🇺🇸 Israeli Man Who Made $5M From Hacking Scheme Sentenced to Prison in US
➝ 🇫🇮 ⚖️ Alleged Extortioner of Psychotherapy Patients Faces Trial
➝ 🇺🇸 💸 #LockBit ransomware exploits #CitrixBleed in attacks, 10K servers exposed
➝ 🇺🇸 ⚖️ #IPStorm botnet with 23,000 proxies for malicious traffic dismantled
➝ 👶🏻 🧨 Teens with “digital bazookas” are winning the ransomware war, researcher laments
➝ 💸 #Ethereum feature abused to steal $60 million from 99K victims
➝ 🇩🇰 🇷🇺 #Denmark Hit With Largest #Cyberattack on Record
➝ 🇨🇳 🇰🇭 Chinese Hackers Launch Covert #Espionage Attacks on 24 Cambodian Organizations
➝ 🇲🇾 Major Phishing-as-a-Service Syndicate '#BulletProofLink' Dismantled by Malaysian Authorities
➝ 🇪🇺 🥳 EU Parliament committee rejects mass scanning of private and encrypted communications
➝ 🩹 #ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
➝ 🦠 🐍 27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts
🇻🇳 🇮🇳 Vietnamese Hackers Using New #Delphi-Powered #Malware to Target Indian Marketers
➝ 🔐 #Google Adds #Passkey Support to New Titan Security Key
➝ 🐛 Zero-Day Flaw in #Zimbra Email Software Exploited by Four Hacker Groups
➝ 🩹 #SAP Patches Critical Vulnerability in Business One Product
➝ 🐛 New #Reptar CPU flaw impacts Intel desktop and server systems
➝ 🐛 New #CacheWarp AMD #CPU attack lets hackers gain root in Linux VMs
📚 This week's recommended reading is: "Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World" by @marcusjcarey and Jennifer Jin
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-462023
27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts ⚠️
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html
27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html #Python #PyPI
#PyPi 27 Malicious Python PyPI Packages with Thousands of Downloads Found Targeting IT Experts. The malicious packages include: pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool:
#SupplyChainSecurity
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html
「IT専門家を狙った数千ダウンロードの悪意のある #PyPI パッケージ27個が見つかる 」: The Hacker News
「人気のある正規の #Python ライブラリを装った 27 のパッケージが数千のダウンロードを集めたと述べた。 ダウンロードの大部分は、米国、中国、フランス、香港、ドイツ、ロシア、アイルランド、シンガポール、英国、日本からのものです。 」
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html
Among the deceptive packages were named pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, with the latter being planted on May 13, 2023.
#Linux users can no longer feel confident that they will not get unwanted garbage on their system when even package managers like #PyPI are contaminated. Destruction is increasing in all areas. Honestly, I don't understand what drives these disgusting creatures to ruin everything. How can you get excited about that? This doesn't just mean crackers, but also all those who wear ties, who also vehemently defend their actions and present them as a blessing for everyone.
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html
Längst können sich #Linux Nutzer nicht mehr in Sicherheit wiegen, sich keinen unerwünschten Müll auf ihrem System einzufangen, wenn selbst Paketverwaltungen wie #PyPI verseucht sind. In allen Bereichen nimmt die Zerstörung zu. Ehrlich, ich kapiere nicht, was diese widerwärtigen Kreaturen dazu treibt, alles kaputtzumachen. Wie kann man sich daran nur aufgeilen? Damit sind nicht nur Cracker gemeint, sondern auch alle Schlipsträger, die ihr Handeln zudem vehement verteidigen und als Segen für alle darstellen.
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html
🐍 Developers can’t seem to stop exposing credentials in publicly accessible code | @arstechnica
"Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language"
Developers can’t seem to stop exposing credentials in publicly accessible code - Enlarge (credit: Victor De Schwanberg/Science Photo Library via Getty I... - https://arstechnica.com/?p=1984368 #coderepositories #credentials #passwords #security #biz #pypi
Ars Technica: Developers can’t seem to stop exposing credentials in publicly accessible code https://arstechnica.com/?p=1984368 #Tech #arstechnica #IT #Technology #coderepositories #credentials #passwords #Security #Biz&IT #pypi
Very nice! Way to go PyPI and Open Technology Fund. Seems like few significant issues were found in the audit of PyPI’s code base & infrastructure
#python #opensource #pypi #security
https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/
"PyPI has completed its first security audit"
https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/
💪 👏
New blogs:
@pypi has completed its first security audit
Read all about it in this 3-part blog series:
https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/
https://blog.pypi.org/posts/2023-11-14-2-security-audit-remediation-warehouse/
https://blog.pypi.org/posts/2023-11-14-3-security-audit-remediation-cabotage/
It was great working with @trailofbits on this.
It has been more than 6 months since my last report of a malicious package on #PyPI, and I started to think about retiring the Package Observatory Club, when I got another true positive:
mathz (or "SPY bot") was rudimentary remote control software that with keylogging, screenshots and command execution capabilities. It communicates via telegram. Comments were in Uzbek, at least according to Google Translate.
It was removed less than 3 minutes after my report - great job!
What has 3,938 total unique secrets across all projects?
#PyPI
This is not a joke.
https://blog.gitguardian.com/uncovering-thousands-of-unique-secrets-in-pypi-packages/
How do you personally pronounce #PyPI?
(Boosts OK. Also, this is *not* a question about the "correct" pronunciation.)
🐍 Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI
http://thehackernews.com/2023/11/beware-developers-blazestealer-malware.html
New blog post: Diving into PyPI package name squatting:
https://blog.orsinium.dev/posts/py/pypi-squatting/
I always wanted to find time to dive into the subject, and today's news about yet another malware campaign on PyPI motivated me to do so.
Special thanks to @sethmlarson for providing the dataset.
Yet another software supply chain vulnerability. Last week, I highlighted issues with NuGet packages, this week - PyPi (Python Package Index), as reported by HackerNews, has packages infected with #Blazestealer
#python #pypi #vulnerability - I feel a blog brewing 😀
https://thehackernews.com/2023/11/beware-developers-blazestealer-malware.html
Finally got all of my non-google #2FA off of Google Authenticator & set up on #KeyPass #KeyPassXC
I had been putting it off out of fear that it was going to be painful & cumbersome.
For the websites/apps that I am using, I was pleasantly surprised that most of them seem to have their shit together (e.g. #pypi #protonmail #digitalocean #heroku etc.)
I can check one thing off of my todo list this week! Thanks for playing nice with your UI/UX #security
「開発者は気をつけてください: #PyPI の #Python #パッケージ で #BlazeStealer #マルウェア が発見されました 」: The Hacker News
「「[BlazeStealer]は外部ソースから追加の悪意のあるスクリプトを取得し、攻撃者が被害者のコンピュータを完全に制御できるDiscordボットを可能にする」と述べた。
2023 年 1 月に開始されたこのキャンペーンには、Pyobftoexe、Pyobfusfile、Pyobfexecute、Pyobfpremium、Pyobflite、Pyobfadvance、Pyobfuse、および pyobfgood という名前の合計 8 つのパッケージが含まれており、最後のパッケージは 10 月に公開されました。 」
https://thehackernews.com/2023/11/beware-developers-blazestealer-malware.html
Beware, Developers: #BlazeStealer Malware Discovered in #Python Packages on #PyPI
https://thehackernews.com/2023/11/beware-developers-blazestealer-malware.html
@offby1 Or ask for commit rights & #pypi package rights.
pypi's own rules on what constitutes an abandoned package and #PEP541 may have some norms to guide you https://peps.python.org/pep-0541/#how-to-request-a-name-transfer
(That is about asking pypi to let you take it over, but I suppose you could use similar rules to justify a fork & rename)
#NeuroMastodon #ephys #spikesorting
📢📢📢📢📢
SpikeInterface v0.99.0 has been released on #PyPi!
https://pypi.org/project/spikeinterface/0.99.0/
Just run this to upgrade your installation:
>>> pip install --upgrade spikeinterface
Check out the release notes here:
https://spikeinterface.readthedocs.io/en/0.99.0/releases/0.99.0.html
How about some #npm #malware to start your day? Along with the #pypi campaign we have been reporting on, we have also identified a large number of #javascript packages deploying a reverse shell.
https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/
#opensource #cybersecurity #infosec #npmjs #nodejs #supplychain
New data on #Python packages hosted on #PyPI
https://github.com/sethmlarson/pypi-data/releases/tag/2023.10.31
Trusted publishing on #PyPI is great! https://docs.pypi.org/trusted-publishers/
Not worrying about API tokens is very nice (I used to create a temporary token to upload via `twine`)! Now a release is a 3 step process:
1. Bump version (and I'm using CalVer for everything I push to PyPI, so that's easy to figure out)
2. Run the release workflow (example: https://github.com/brettcannon/microvenv/blob/main/.github/workflows/release.yml)
3. Create a GitHub release
I plan to automate away step 1 via PDM or Hatch. 😁 And I can automate drafting GH releases.
I sat down with the awesome @mkennedy last month for a fun @talkpython #podcast conversation.
Check it out here:
https://talkpython.fm/episodes/show/435/pypi-security
I am surprised by the URL displayed on PyPI for the YAPF project : https://pypi.org/project/yapf/0.40.2/#description
- "url" is displayed instead of "Home",
- no documentation or issue URL is displayed
I thought it could be due to the quotes but the changelog URL is displayed.
Total Release count on @pypi just passed 5 million!
A czy wiecie, że #Yandex, prawdziwie zła korporacja w służbie prawdziwego złego państwa, automatycznie zarejestrowała prawie 1200 projektów na #PyPI? Najwyraźniej służą "zapobieganiu atakom typu Dependency Confusion wobec Yandeksu". Choć wiele z nich faktycznie przypisanych jest do przestrzeni nazw "yandex-*", zarejestrowano również całkiem przypadkowe nazwy jak "selenium2mysql", "browser", "feedback", "git-pre-commit-hook", "parametrized", "easy_install" (ten ostatni został usunięty przez adminów)…
Did you know that #Yandex, the evil corporation of the evil state, has automatically registered almost 1200 projects on #PyPI? Apparently they are meant "to prevent Dependency Confusion attacks against Yandex". While many of them are indeed "yandex-namespace", they also registered random names like "selenium2mysql", "browser", "feedback", "git-pre-commit-hook", "parametrized", "easy_install" (removed by admins already)…
Scratch your own itches, they say.
Today's itch is repeatedly asking what version of [package] introduced an incompatible requirement on [other package], so I wrote a small #Python tool for querying the #PyPI JSON APIs to get an answer.
https://snoopj.dev/pyplay/packaging_/query_pypi_requirements_by_version/
At @codethink we care heavily about safety and we are eager to share this article about the dangers you could possibly face while using a very popular platform.
Learn how to make the most of PyPI while protecting yourself from security risks. In this blog, you will find insightful information on the potential dangers of PyPI and how you can navigate around them safely.
Read the full blog: https://www.codethink.co.uk/articles/2023/pypi-safety/
We are currently tracking a #pypi #malware campaign targeting cloud provider credentials!
#infosec #malware #opensource #python #aws #cybersecurity
https://blog.phylum.io/cloud-provider-credentials-targeted-in-new-pypi-malware-campaign/
Und da ist das gute Stück 😎
Die #ETA Schnittstelle verfügbar in Python via #PyPi
https://github.com/Poeschl/pyETA
Nehm ich jetzt auch gleich bei mir hier um mit nem kleinen Script Änderungen bei meinen Eltern daheim an den Ladezeiten mitzubekommen. :awesome: Mein Dad stellt da gern rum.
I've blogged previously about Python Packaging and described how to automate publishing to PyPI when your project is hosted on GitHub.
I've now worked out how to do this from GitLab and so have written that up too...
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #39/2023 is out! It includes the following and much more:
➝ 🔓 #GitHub repos bombarded by info-stealing commits masked as #Dependabot
➝ 🇯🇵 💸 #Sony Investigating After Hackers Offer to Sell Stolen Data
➝ 🔓 #BORN Ontario child registry #databreach affects 3.4 million people
➝ 🇭🇰 🔓 Personal data of 25,000 Hongkongers at risk after #cyberattack against consumer watchdog, up from earlier estimate of 8,000
➝ 🇺🇸 🔓 National Student Clearinghouse data breach impacts 890 #schools
➝ 🇨🇦 ✈️ #AirCanada discloses data breach of employee and 'certain records'
➝ 🇰🇵 🇪🇸 North Korean hackers posed as #Meta recruiter on #LinkedIn
➝ 👥 ShadowSyndicate: A New #Cybercrime Group Linked to 7 #Ransomware Families
➝ 🇷🇺 ✈️ Russian flight booking system suffers ‘massive’ cyberattack
➝ 🇨🇳 🇺🇸 Chinese hackers stole emails from US State Dept in #Microsoft breach, Senate staffer says
➝ 🇨🇳 Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
➝ 🇺🇦 🚀 Ukrainian Military Targeted in Phishing Campaign Leveraging #Drone Manuals
➝ 🥷🏻 💰 Hackers steal $200M from #crypto company #Mixin
➝ 🇳🇬 ⚖️ Nigerian man pleads guilty to attempted $6 million BEC email heist
➝ 🇺🇸 ⚖️ ShinyHunters member pleads guilty to $6 million in data theft damages
➝ 🇨🇳 #China-Linked Budworm Targeting Middle Eastern #Telco and Asian Government Agencies
➝ 🇨🇳 🚪 Backdoored firmware lets China state hackers control #routers with “magic packets”
➝ 🇺🇸 👮🏻♂️Security researcher warns of chilling effect after feds search phone at #airport
➝ 🦠 ❗️FBI Warns Organizations of Dual Ransomware, Wiper Attacks
➝ 🤖 🦠 #Bing Chat responses infiltrated by ads pushing #malware
➝ 🏥 🎣 Red Cross-Themed #Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors
➝ 🥷🏻 🐍 #SSH keys stolen by stream of malicious #PyPI and #npm packages
➝ 🏦 🎠 New Variant of #Banking #Trojan BBTok Targets Over 40 Latin American Banks
➝ 🦠 🚪 #Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
➝ 🚀 #Sysdig Launches Realtime Attack Graph for Cloud Environments
➝ 🐛 📨 Critical vulnerabilities in #Exim threaten over 250k #email servers worldwide
➝ 🔓 Progress warns of maximum severity WS_FTP Server vulnerability
➝ 🩹 🔥 #Google fixes fifth actively exploited Chrome zero-day of 2023
➝ 🩹 🍏 #macOS 14 #Sonoma Patches 60 #Vulnerabilities
➝ 🩹 🦊 #Firefox 118 Patches High-Severity Vulnerabilities
➝ 🤫 ✅ Google quietly corrects previously submitted disclosure for critical #webp 0-day
➝ 👀 🇪🇬 0-days exploited by commercial surveillance vendor in #Egypt
📚 This week's recommended reading is: "Philosophy of Cybersecurity" by @LukaszOlejnik and Artur Kurasinski
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-392023
Publish Python packages to PyPI with Poetry
While working in my pyxavi #Python library I was wondering how complicated would it be to publish it as the rest of the packages I use often. How difficult is to build and distribute a project through #PyPI? In this article I go through the steps of building and publishing a Python package into PyPI with #Poetry for everyone to use it.
https://xavier.arnaus.net/blog/publish-python-packages-to-pypi-with-poetry
Got a problem with GitLab CI and Variables not being shown on pipelines triggered by $CI_COMMIT_TAG
If anyone has experience/ideas details are at
https://forum.gitlab.com/t/ci-variables-missing-when-triggering-build-based-on-tag/93309
New #PyPI dataset, who dis?
https://github.com/sethmlarson/pypi-data/releases/tag/2023.09.28
Some findings from the annual #Python survey by @ThePSF & #JetBrains
93% use Python 3.
The latest Python is used by most people (3.10 at the time of they survey), with each older release the next most popular: 3.10, 3.9, 3.8, 3.7, 3.6...
This is interesting as current #PyPI download stats show 3.8, 3.7, 3.9, 3.10, 3.11... There's a big skew for 3.7 from certain Linux distros (https://dev.to/hugovk/why-are-there-still-so-many-downloads-for-eol-python-37-30cp).
@pillow remains around ~30%.
50,000 folks have enabled 2FA on #PyPI! 👏👏👏 Thanks everyone who's done their part to keep the #Python ecosystem safe.
Have you done your part and enabled 2FA? 🤔
Read how: https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/
🚀 sdfCAD is now available on PyPI!
https://pypi.org/project/sdfcad/
With this release I added some more shape inspection routines:
- obj.bounds returns [x,x,y,y,z,z] bounds
- obj.volume() brute-forces the object's volume
Both are still a little wonky, though. Lots of iterative optimization under the hood, that can go wrong...
Still useful to e.g. check programmatically if two shapes intersect. That's something #OpenSCAD can't do. 😉
#sdfCAD #PyPI #Python #3dprinting #3dmodelling #3ddesign #CAD
And we just keep finding more #malware. Another large multi-ecosystem campaign targeting #npm and #pypi.
Exfiltrating SSH keys and Kubernetes configuration files 😬
#infosec #opensource #javascript #python #cyberattack
https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi
@sckottie @siddhantgoel The API doesn't have more, but https://github.com/hugovk/norwegianblue is my client for the https://pypistats.org API.
There's also https://www.pepy.tech which has total downloads, but it includes downloads from PyPI and from PyPI mirrors.
To go to the source, both get data from BigQuery:
https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads/
For itertools.combination(), itertools.permutations(), itertools.product() ... but as Sequences with random access (like range()) try python_toolbox.combi https://pypi.org/project/python-toolbox/
>>> perms = python_toolbox.combi.PermSpace('ABCD')
>>> len(perms)
24
>>> perms[3]
<Perm: ('A', 'C', 'D', 'B')>
>>> perms.index(('B', 'C', 'D', 'A'))
9
ℹ️ He actualitzat #PyXavi a la versió v0.3.3, sol.lucionant un problema de dependències amb #PyYaml, que van publicar la 6.0 que al seu torn està trencada i es sol.luciona amb la 6.0.1
La versió ja està publicada a #PyPI
https://pypi.org/project/pyxavi/
Coses de #Python :python:
Thanks @github for the docs update!
New page on how to enable #GitHubActions trusted publishing to @pypi
More detailed (with pictures 🖼️ ) authored by @yossarian and other contributors!
https://docs.pypi.org/trusted-publishers/
I wrote a blog analyzing the inbound malware reports to @pypi
https://blog.pypi.org/posts/2023-09-18-inbound-malware-reporting/
I have animated a two-channel ‘CHSH’ Bell test experiment, as a #Python program. It is on #PyPI at https://pypi.org/project/Quantum-Correlations-Visualized/
If you read the source code, it will give an explanation of how the #simulation works. I STRONGLY encourage close study of the source code, for the reader to see that it is legitimate.
Tenho muita preguiça de aprender/cuidar de certas coisas que seriam muito úteis e legais :(
Exemplo: publicar um pacote #Python no #PyPI
Contexto: fiz um fork de um plug-in do #ThonnyIDE que formata código com #black, e mudei o plug-in para formatar usando #blue (pois eu prefiro aspas simples).
Para que outras pessoas possam usar, eu precisava publicar a minha versão do plugin no PyPI, mas quem disse que eu tenho a manha de fazer isso?
É um misto de bloqueio com burocracias, inércia, preguiça, tudo misturado. Sei que não é super difícil, eu poderia, sei lá, assitir a live do @dunossauro sobre empacotamento, mas é muito muito *difícil pra mim*.
Se você não tem esses bloqueios que eu tenho, tem essa Live de Python aqui ó, com o querido @ayharano ainda por cima! https://www.youtube.com/watch?v=CW7Z1AqGyJM
@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.
https://blog.pypi.org/posts/2023-08-08-2fa-enforcement-for-new-users/
It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs (https://blog.pypi.org/posts/2023-05-23-removing-pgp/) going forward.
To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!
I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile #reproduciblebuilds is now broken for those packages.
🥚 ❌
🛞 ✅
Following PEP 715, @pypi has deprecated the old egg format, use wheel instead.
https://blog.pypi.org/posts/2023-06-26-deprecate-egg-uploads/
https://pythonwheels.com
#Python #egg #wheel #PEP715 #bdist_egg #bdist_wheel #PyPI
So if you need some additional argument (besides e.g. these: sfconservancy.org/blog/2022/ju… ) to give up #github then you already have :-)
#forgejo #pypi #python #GiveUpGitHub
#PyPI will now enforce use of Trusted Publishers or API tokens for uploading distributions if the user has 2FA enabled:
https://blog.pypi.org/posts/2023-06-01-2fa-enforcement-for-upload/
If your package is hosted on GitHub, I highly recommend checking out Trusted Publishers instead of API tokens. You can find official documentation on how to use Trusted Publishers with PyPI here:
#pypi is doing the right thing and requiring 2 factor for all package uploading. It should be much harder to take over abandoned packages by using leaked passwords. I guess I also need to learn how to do the 2nd factor, or maybe just switch my publishing to github actions
#PyPI to enforce non-SMS 2FA for all package maintainers by the end of 2023, excellent work PyPI team to keep the #Python ecosystem safe! 💪
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/
New blog: Securing PyPI accounts via Two-Factor Authentication, from @dstufft
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/
Removing PGP from PyPI: https://blog.pypi.org/posts/2023-05-23-removing-pgp/ #Python #PyPI #PGP
The #PyPI team has been killing it lately, removing the ability to upload new PGP signatures following @yossarian's audit of PGP on PyPI 🚀
Wheel metadata are now available directly on the PyPI – this eliminates the need to download and unpack the entire wheels and then analyse the metadata and especially the dependencies: https://peps.python.org/pep-0658/
#Python #Packaging #PyPI
"PyPI new user and new project registrations temporarily suspended" due to high levels of malicious package uploads.
Absolutely the right decision by the PyPI administrators, take all the time you need 🤗
https://status.python.org/incidents/qy2t9mjjcc7g
I made a thing 🎨👁️
I've mentioned it before, but in case you missed it and are interested in working for @ThePSF to improve PyPI...
https://blog.pypi.org/posts/2023-05-09-announcing-pypi-safety-and-security-engr-role/
Both the new Flask and Werkzeug releases use PyPI's new OIDC trusted publisher integration with GitHub https://docs.pypi.org/trusted-publishers/ Really easy to set up and use, no more managing tokens manually. #Python #PyPI
Live launch from the floor of @PyConUS
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.
https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
cool, #Codecov just silently yanked the codecov package completely from #PyPI https://community.codecov.com/t/codecov-yanked-from-pypi-all-versions/4259
In the middle of a PyPI data migration no less.
Looks like #Codecov have not only deprecatred but completely deleted their #Python package from #PyPI:
https://pypi.org/project/codecov/ is 404
https://github.com/codecov/python-standard/issues/31
Alternatives:
https://github.com/codecov/uploader
https://github.com/codecov/codecov-action
Latest attack on #PyPI users shows crooks are only getting better
More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the #Python #programming language, in the latest indication that the targeting of software developers using this form of attack isn't a passing fad.
On November 22, 2022, Flask and Werkzeug downloads per day dropped about 1 million. But I can't find a corresponding rise in any other framework, so I can only assume some service started caching PyPI much better. https://pepy.tech/project/flask?versions=2.2.*&versions=2.*&versions=1.*&versions=* #Python #PyPI