sayzard42m ago

Active supply chain attack across NPM, PyPI, and Crates. io

npm, PyPI, Crates.io 등 주요 패키지 생태계에서 TrapDoor라는 암호화폐 탈취 악성코드가 포함된 34개 패키지와 384개 버전이 발견되어 활발한 공급망 공격이 진행 중이다. 공격자는 암호화폐 지갑, SSH 키, 클라우드 자격증명, GitHub 토큰 등 민감 정보를 탈취하며, 보안 연구팀 Socket은 평균 5분 27초 내에 악성 패키지를 탐지했다. 이 공격은 AI, DeFi, 보안 개발자들을 주요 타깃으로 삼고 있어 즉각적인 대응과 주의가 필요하다.

https://twitter.com/socketsecurity/status/2058565153138844043

#supplychainattack #npm #pypi #cratesio #security

Socket (@SocketSecurity) on X

🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets

X (formerly Twitter)
Marvin8 Announcements14h ago
feed2fedi 3.7.6

- Security: upgraded idna and pymdown-extensions to versions without known vulnerabilities
- Pre-commit hooks updated to latest versions (ruff, uv, zaojun)

#Python #PyPI #RSS #Fediverse
Marvin8 Announcements22h ago
longwei 1.5.0
- Pre-commit hooks updated to latest versions (ruff, uv, zaojun)
- Security: upgraded urllib3, idna, and pymdown-extensions to versions without known vulnerabilities
- Added `get_trending_hashtags()` to retrieve trending tags from an instance

#Python #PyPI #ActivityPub #OpenSource
Show threadcle1d ago

@andrewnez

via @pythonbytes :

#423: Traveling the Python Universe
A map of #Python

Cool visualization of dependencies in #PyPI packages
https://fi-le.net/pypi/

Even cooler visualization (linked from main article)

https://anvaka.github.io/pm/#/galaxy/python?cx=-2700&cy=377&cz=5622&lx=0.0204&ly=-0.2338&lz=-0.0081&lw=0.9720&ml=150&s=1.75&l=1&v=2015-09-27T13-00-00Z

A Map of Python - fi-le.net

PyPi, the Python Software Foundation's package repo, counts over half a million open source projects. Since I use many of these every day, it seemed appropriate to get to know this set of packages better, and show some appreciation. The index website provides nice search and filtering, which is good when looking for something specific. Here though, we want to take a look at every package at once, to construct a visualization, and perhaps even discover some cool new packages....

The Fiefdom of Files
Show threadcle1d ago

@andrewnez
Inspired by #XKCD #2347, Stacktower renders dependency graphs as physical towers where blocks rest on what they depend on. Your application sits at the top, supported by libraries below—all the way down to that one critical package maintained by some dude in Nebraska.

#python #pypi

https://github.com/stacktower-io/stacktower

Marvin8 Announcements1d ago
zaojun 1.5.3
- Address 3 pysentry security vulnerabilities in transitive dependencies

#Python #PyPI #CLI #OpenSource
Hackaday [Unofficial]2d ago

This Week in Security: AI Generated Reports, More AI Generated Reports, GitHub Chaos, and More Linux Vulnerabilities

https://fed.brid.gy/r/https://hackaday.com/2026/05/22/this-week-in-security-ai-generated-reports-more-ai-generated-reports-github-chaos-and-more-linux-vulnerabilities/

This Week In Security: AI Generated Reports, More AI Generated Reports, GitHub Chaos, And More Linux Vulnerabilities

Google’s Project Zero demonstrates a new zero-click exploit for the Pixel 10 phones, showing a full escalation from remote to kernel without user interaction. During the investigation Project…

Hackaday
Show threadcle2d ago

@andrewnez
Diffify provides you with a comparison between different versions of R packages stored on CRAN and #Python packages stored on #pypi

Say you were using a particular version of a package in a project and now a new version is available. With diffify you are easily able to check what has been changed in the new release. In particular, diffify will provide you with information from the NEWS file as well as changes in the dependencies, namespace and functions of the package
https://diffify.com/

Welcome to diffify!

Diffify provides you with a comparison between different versions of R packages stored on CRAN or Python packages stored on PyPI.

132d ago
This Week in Security: AI Generated Reports, More AI Generated Reports, GitHub Chaos, and More Linux Vulnerabilities https://hackaday.com/2026/05/22/this-week-in-security-ai-generated-reports-more-ai-generated-reports-github-chaos-and-more-linux-vulnerabilities/
#HackadayColumns #SecurityHacks #Ai #Android #AWS #BrianKrebs #Cisa #Copyfail #Github #Govcloud #Linustorvalds #Linux #NPM #Pixel #PyPI #Vscode
This Week In Security: AI Generated Reports, More AI Generated Reports, GitHub Chaos, And More Linux Vulnerabilities

Google’s Project Zero demonstrates a new zero-click exploit for the Pixel 10 phones, showing a full escalation from remote to kernel without user interaction. During the investigation Project…

Hackaday
Sebastian Kübeck2d ago

Next supply chain compromise on PyPI! 🔥 🔥 🔥

https://advisories.gitlab.com/pypi/guardrails-ai/CVE-2026-45758/

Use PipCanary or similar to protect your secrets!

https://pypi.org/project/pipcanary/

#cybersecurity #python #pypi

CVE-2026-45758: Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI. Affected: any user who …

GitLab Advisory Database (GLAD)