📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #21/2023 is out! It includes, but not only:

‣ 🇬🇧 🇺🇸 #NHS data breach: trusts shared patient details with #Facebook without consent
‣ ☁️ Severe Flaw in #Google Cloud's Cloud #SQL Service Exposed Confidential Data
‣ 🇨🇭 💰 US govt contractor #ABB confirms #ransomware attack, data theft
‣ 🦠 🤖 #Predator: Looking under the hood of Intellexa’s #Android spyware
‣ 🇦🇿 🇦🇲 Hacking in a war zone: #Pegasus #spyware in the Azerbaijan-Armenia conflict
‣ 🦠 🎮 Dark Frost #Botnet Launches Devastating #DDoS Attacks on Gaming Industry
‣ 🇷🇺 🦠 Mysterious #malware designed to cripple industrial systems linked to #Russia
‣ 🇧🇷 🇵🇹 ‘Operation Magalenha’ targets credentials of 30 Portuguese #banks
‣ 🩹 #GitLab 'strongly recommends' patching max severity flaw ASAP
‣ 🇮🇷 🇮🇱 Iranian hackers use new #Moneybird ransomware to attack Israeli orgs
‣ 🇺🇦 Cyber Attacks Strike #Ukraine's State Bodies in Espionage Operation
‣ 🇨🇳 🇺🇸 Chinese state hackers infect critical infrastructure throughout the US and Guam
‣ 🐍 👨🏻‍⚖️ #PyPI was subpoenaed
‣ 🇰🇵 🦠 N. Korean #Lazarus Group Targets #Microsoft IIS Servers to Deploy Espionage Malware
‣ 🦠 🤖 Data Stealing Malware Discovered in Popular Android Screen Recorder App
‣ 🇩🇪 Arms maker Rheinmetall confirms #BlackBasta ransomware attack
‣ 🦠 New ‘GoldenJackal’ APT Targets Middle East, South Asia Governments
‣ 🇺🇸 🇰🇵 Treasury Department sanctions entities tied to North Korean IT scams, hacking
‣ 🇺🇸 📰 Cuba ransomware claims #cyberattack on Philadelphia Inquirer
‣ 🇺🇸 🏥 After ransomware attack, state’s second-largest health insurer says patient data stolen
‣ 🇯🇵 🇮🇳 🏍️ #Suzuki motorcycle plant shut down by cyber attack
‣ 🇺🇸 🪖 #Pentagon explosion hoax goes viral after verified #Twitter accounts push
‣ 🇺🇸 🇪🇺 #Meta Fined Record $1.3 Billion and Ordered to Stop Sending European User Data to US
‣ 🦠 🎬 Cloned #CapCut websites push information stealing malware
‣ 🇰🇷 🇺🇸 Warning: #Samsung Devices Under Attack! New Security Flaw Exposed
‣ 🍏 #Apple fixes three new zero-days exploited to hack iPhones, Macs

#hacking #cyber #cyberdefense #security #health #cloud #infrastructure #OT #ICS

📚 This week's recommended reading is: "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape" by Sounil Yu

Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️

ricardo :mastodon:
7 hours ago

#PyPI says bye-bye to as much IP address data as it can.

12 hours ago

「PyPI はプロジェクト所有者に必須の 2 要素認証を実装します 」: The Hacker News

「 Python Package Index (PyPI) は先週、公式サードパーティ ソフトウェア リポジトリでプロジェクトを管理するすべてのアカウントは、年末までに 2 要素認証 ( 2FA ) を有効にする必要があると発表しました」

「この施行には 組織の管理者 も含まれますが、サービスのすべてのユーザーには適用されません。」

#prattohome #PyPI #Python
12 hours ago
Matthew Martin ☑ ✅📛
21 hours ago

I updated most of my #pypi project to use "trusted publisher"

I can't figure out how to get an "environment" to only allow deployment from tags (which bizarrely #github treats as "branches") so I instead add an approver step and potentially all builds can be deployments, but only if I click OK.

Completely invisible...

1 day ago

Following the various malware issues, #pypi follows #github and #npm 's footsteps and accounts that manage a project will require #2fa

ricardo :mastodon:
2 days ago

US government hits #PyPI with demands for data on developers ⚠️

PyPI 发文称收到了来自美国司法部三条针对五名用户的传票,要求其提供相关用户的姓名、地址、服务使用记录等信息。

有 Hacker News 用户认为,这篇文章的行文可能表明 PyPI 还收到了另外的不被允许公开的用户信息要求 [1]。

[感谢 夜坂雅 提供此消息。]



Telegram 原文

3 days ago

「PyPIに召喚状:米国政府が開発者に関するデータを要求 」: The Register

「司法省から、合計で、5 つの PyPI ユーザー名に関連するユーザー データが要求されました。」

FRBは、特定された口座に関連する名前、住所(郵送、電子メール、住居および勤務先を含む)、接続記録、セッション時間の記録および関連するネットワーク識別子、口座作成日、登録時や支払い時に使用された電話番号およびIPアドレスを尋ねた。識別されたユーザーによってアップロードされた PyPI パッケージの情報、アップロードされた Python パッケージ、および IP アドレス ダウンロード ログ。 」


#prattohome #TheRegister #Python #pypi #米国 #司法省

Matthew Martin ☑ ✅📛
3 days ago

So I can use the "Trusted Publisher" feature to publish from github without secrets, but no obvious clue on #pypi to say that the package was uploaded via Trusted Publisher.


CK's Technology News
3 days ago

US government hits #PyPI with demands for data on developers

3 days ago

🐍 Securing PyPI accounts via Two-Factor Authentication

"Today, as part of that long term effort to secure the Python ecosystem, we are announcing that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023."

#PyPI #2FA #Python #Infosec

Aida Akl
3 days ago
Matthew Martin ☑ ✅📛
4 days ago

#pypi is doing the right thing and requiring 2 factor for all package uploading. It should be much harder to take over abandoned packages by using leaked passwords. I guess I also need to learn how to do the 2nd factor, or maybe just switch my publishing to github actions

Seth Michael Larson
4 days ago

#PyPI to enforce non-SMS 2FA for all package maintainers by the end of 2023, excellent work PyPI team to keep the #Python ecosystem safe! 💪

Damien Goutte-Gattat
4 days ago

Just when I thought that I couldn’t possibly be more disappointed by #Python's tooling and environment, now #PyPI is no longer supporting #OpenPGP signatures:…

Their rationale for doing so is one of the stupidest things I‘ve ever read about OpenPGP — and I’ve read a lot of stupid takes about OpenPGP over the years!

It basically boils down to two points:

1) One-third of the public keys used “were not discoverable on major public #keyservers, making it difficult or impossible to meaningfully verify those signatures”.

2) Half of the other keys “were unable to be meaningfully verified at the time of the audit“.

On the first point: just because you can‘t find a key on keyservers doesn‘t mean the key can’t be used. Keyservers have never been the one and only way to distribute keys. Actually, the OpenPGP world has been moving away from keyservers for several years already, and most keyservers are slowly dying. The keyserver from the Sequoia-PGP folks is one of the few exceptions.

On the second point: WTF? Just because you were unable to verify to “meaningfully verify” a key doesn’t mean anything! The validity of an OpenPGP key is not something absolute that can be verified by an auditor and then held true for everybody. The entire point of OpenPGP, compared to the X.509 world, is that it is up to each individual user to verify the validity of keys (possibly using the #web-of-trust, but that’s not the only way, and actually, as for the keyservers, the OpenPGP world has been moving away from the WoT). A key that is unverified for Alice may very well be perfectly valid for Bob.

5 days ago

🚨 PyPI was subpoenaed
➥ Ee Durbin

"The privacy of PyPI users is of utmost concern to PSF and the PyPI Administrators, and we are committed to protecting user data from disclosure whenever possible. In this case, however, PSF determined with the advice of counsel that our only course of action was to provide the requested data. I, as Director of Infrastructure of the Python Software Foundation, fulfilled the requests in consultation with PSF's counsel"

#Python #PyPI

5 days ago

The Python Software Foundation (PSF, running PyPI) was subpoenaed by the US department of justice for information on 5 users.
I wonder what caused them to act on these cases.

#PyPI #python

PyPI 不再支持在 PyPI 包中附加 PGP 签名。已上传的包的签名可能尚且可用,但新上传的包的签名会被忽略。

近期的统计显示,除了签名所用 PGP 密钥无法在主流 keyserver 找到的情况及签名密钥已经失效/过期等情况外,只有 36% 的 PyPI 包签名可能可以可靠地被验证,而这些签名只涵盖了 0.3% 的 PyPI 包的文件。

[感谢 夜坂雅 提供此消息。]


Telegram 原文

Seth Michael Larson
6 days ago

The #PyPI team has been killing it lately, removing the ability to upload new PGP signatures following @yossarian's audit of PGP on PyPI 🚀

Marcel SIneM(S)US
6 days ago

Zu viel Schadcode: Paket-Registry #PyPI sperrte vorübergehend alle neuen Projekte | Developer

1 week ago


Perhaps the #PyPI people are the only ones willing to pull the handbrake, unlike other lang registries that worry about optics first.

"PyPI, the official third-party registry of open source Python packages has temporarily suspended new users from signing up, and new projects from being uploaded to the platform until further notice.

The unexpected move comes amid the registry's struggle to upkeep with a large influx of malicious users and packages"

1 week ago

In dem Blogpost hat sich @yossarian die Signaturen von PyPI-Paketen angeschaut.
Ergebnis: schlimmer als nutzlos
Schlüssel nicht erhältlich, Signatur längst abgelaufen etc. Wenn ihr euch mal gruseln wollt, lest den Beitrag.
#PGP #PyPI #Python

PGP signatures on PyPI: worse than useless

Python 的包管理站点 PyPI 暂停了新帐号和包的创建,原因是数位管理员告假,而目前的恶意帐号/包数量太多以致现有管理员无法处理。

[感谢 夜坂雅 提供此消息。]

#Python #PyPI

Telegram 原文

The Cybersecurity Librarian :donor:
1 week ago

This weekend PyPi, the python software repository, suspended new accounts: the level of malicious activity has become unmanageable.

But this story is not just about Python: the level of risk from software dependencies has risen unimaginably: not a little, not a lot, this is big enough that it is hard to communicate and comprehend.

Python (pypi), Javascript (npm), Java (maven), Ruby, and even VS Code extensions are all under constant unrelenting attack. When a single package is trojanized, that threat is inherited by every application that include the compromised package.

The number of methods being used for these attacks is growing, and developers are now a "target of choice" for many criminal groups.

For example, in 2022 there was a sudden increase in the number of an effectiveness of "Phishing as a Service" (PhaaS) offerings in criminal markets. These services are effective at bypassing MFA. However, you may not know that these services are being used to target developer accounts, including repositories of private and open-source software. They want to trojanize the code and create the next big software-supply-chain compromise.

PhaaS is just one method. This weekend's announcement from PyPi was the result of criminals creating a large number of developer accounts so that they can publish malicious clones of existing packages. Typosquatting of packages is not a new phenomena, the constant stream of attacks is new.

You might assume that the repository hosts or managers must have a solution. They do not. The problems are diverse and many: from the management of repository hosting, to the security/trust verification features of packaging systems, to the security of repositories and the developers themselves.

There is no one solution, but solutions are needed.

My action item for you is this. Do not read cybesecurity about software repository compromises in isolation. Look at the forest and not the trees. Big risks are harder to understand that little ones but need the most urgent action.

Below are a small selection of stories in the comments to get you started. This is just a tiny fraction of the stories I have read and analyzed in the past year. The "hits just keep on coming".

#SoftwareDeveloper #GitHub #PyPi #NPM #Java #Python #CyberSecurity #PhishingAsAService #ThreatIntelligence #CTI #PhaaS #TypoSquatting #VSCode #Malware #SoftwareSupplyChain

Screenshot of an announcement from the PyPI python repository that they are suspending registration of new accounts due to malicious activity.
1 week ago

Das quelloffene Repository für #Python-Projekte #PyPI wurde mit #Malware überflutet und lässt keine neuen Nutzer zu.,136335.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Veit Schiele
1 week ago

Wheel metadata are now available directly on the PyPI – this eliminates the need to download and unpack the entire wheels and then analyse the metadata and especially the dependencies:
#Python #Packaging #PyPI

Veit Schiele
1 week ago

“PyPI new user and new project registrations temporarily suspended.”
#Python #PyPI #OpenSource #itsecurity

1 week ago

"PyPI new user and new project registrations temporarily suspended" due to high levels of malicious package uploads.
Absolutely the right decision by the PyPI administrators, take all the time you need 🤗

#python #PyPI #infoSec #malware

Thomas Wouters
3 weeks ago

I've mentioned it before, but in case you missed it and are interested in working for @ThePSF to improve PyPI...

#PyPI #Python #Hiring

Both the new Flask and Werkzeug releases use PyPI's new OIDC trusted publisher integration with GitHub Really easy to set up and use, no more managing tokens manually. #Python #PyPI

Hynek Schlawack
2 months ago

cool, #Codecov just silently yanked the codecov package completely from #PyPI

In the middle of a PyPI data migration no less.


Matthew Martin ☑ ✅📛
3 months ago

You know what would be nice? Having to opt into downloading a pypi package from any account that is less than 12 months old. This would kill typosquatting & give malicious package detectors enough time to find the bad before people install by accident.

#pypi #python

On November 22, 2022, Flask and Werkzeug downloads per day dropped about 1 million. But I can't find a corresponding rise in any other framework, so I can only assume some service started caching PyPI much better.*&versions=2.*&versions=1.*&versions=* #Python #PyPI

It turns out that #PyPI #RSS release feeds are unreliable, as new versions sometimes end up at the very end of the feed rather than the beginning, and #Liferea just strips them, so I never learn that I'm supposed to have bumped something.


Open Source JobHub
4 months ago
Python Software Foundation

The image is for the people in the back...

(from this wonderful blog post about #Python #packaging: #pypi #notadeveloper

Python users are not software engineers

Many of the users who write Python code are not primarily full-time software engineers or “developers”. They are not particularly interested in this aspect of their job. They’re using Python as a tool to get their job done. They’re not interested in the details of how the tool works, or even how complicated things are under the hood.

As Thea (Stargirl) Flowers said recently:

    The reason there are so many tools for managing Python dependencies is because Python is not a monoculture and different folks need different things.
Seth Michael Larson
5 months ago

Another #dataset updated for the holidays, I compile #OpenSSF Scorecard data on the top 5,000 most downloaded #Python packages on #PyPI and make it available here:


OpenSSF Scorecards data for top Python packages with an explanation where the data is sourced from, updated weekly, docs on individual scorecard checks, and a note on missing values still counting in the calculations. Shows the top packages by scores in a table, currently top packages are urllib3, flatbuffers, presidio-analyzers, apache-airflow, and apache-airflow-providers-common-sql. More packages are available below.
RecursiveNeuron :verified:
5 months ago

Python 3.11 improvement:

This is a graph of CPU utilization for the web services that power #PyPI.

▶️ They upgraded from python 3.10 to 3.11
▶️ a significant and correlated drop in CPU usage

#python #python3 #pythonprogramming #programming #python311

Seth Michael Larson
5 months ago

:python:📦 New #dataset of #PythonPackaging data right before Christmas! This one has data on over 400K #Python packages and 180K maintainers of those packages.


If you've never seen this project, it's a snapshot in time for most packages on #PyPI with data about the package, maintainers, dependencies, URLs, #OpenSSF scorecard data, and more! You can query it via #Datasette or #SQLite.

Check it out here:

Ratul Maharaj
6 months ago

Yesterday when hearing about the rise of malicious #pypi packages on the #realpython podcast, I had an idea for a package I’m calling`pre-pip`.

It’s a way to run some custom #python code before a #pip command. This could potentially be used to check if a package is on a known list of bad packages before installing it or to automatically upgrade pip before a pip install.

Seems there are lots of possibilities here.

#prepip #fosstodon #opensource #rich #click #precommit

Terminal window showing pre-pip python package
Seth Michael Larson
6 months ago

#urllib3 v2.0 has been downloaded nearly 100K times since it was first published to #PyPI. Read the migration guide and give v2.0 a try in your own projects:

Louis Lang
6 months ago

⚠️ #typosquatting packages published to #pypi this morning.

- ulrlib3
- btoocore
- typing-extnesions

These #malware #python packages send host information to remote machine.

#python3 #infosec #opensource

Louis Lang
6 months ago

Detected a new #typosquatting campaign that appears to be starting on #pypi. The package `ttensorflow` was recently published. Malware tucked away in an innocuous file named `version`. #python #pip #malware #opensource

I am thrilled to announce the immediate availability of version 1.3.0 of the pygamelib! The code and changelog is available on Github: Install it through #pypi and have fun developing #TUI games in #Python!

#gamedev #asciiart #indiegamedev

#RFC: The maintain-website-tool is now available on #PyPI.

It can be installed and run on the commandline.

I'm looking for #ideas and #contributions for other tools to add to this package.

#SocialCoding #Codeberg