[Перевод] Отчёт PSF об инциденте атаки на цепочку поставок LiteLLM/Telnyx + рекомендации

В этой статье рассмотрены две недавние атаки на цепочку поставок, направленные на пользователей популярных пакетов PyPI — litellm и telnyx. Также описаны рекомендации разработчикам и сопровождающим Python о том как подготовиться и защитить свои проекты.

https://habr.com/ru/articles/1019638/

#pypi #litellm #telnyx #security #атака_на_цепочку_поставок #best_practices #безопасность #python #trusted_publishers #trivy

Have any big Python packages moved off of Github given the general wtfery going on there?

I’m considering moving my package elsewhere and I think the only thing I would miss would be the nice CI workflow for publishing to PyPI, unless that is also portable?

#python #pypi #pythonpackage

RE: https://fosstodon.org/@pypi/116335453780319113

rapport d'incident par @miketheman & @sethmlarson sur la corruption de #liteLLM & #Telnyx via #Trivy : https://blog.pypi.org/posts/2026-04-02-incident-report-litellm-telnyx-supply-chain-attack/

Conseils :
- délai de précaution dans la montée de version des dépendances
-- pip.conf
[install]
uploaded-prior-to = P3D
-- uv.toml / pyproject.toml
[tool.uv]
exclude-newer = "P3D"
- utiliser un lockfile pour les dépendances transitives
- publication : par le trusted publishing, surveiller les PR touchant aux workflows de CI

#Python #PyPI #cybersécurité #supplychain

#TIL: There is a UK Ministry of Justice #PyPi account: https://pypi.org/user/ministryofjustice/

Discovered because I was wondering if there is a #Python library for UK public holiday data, as want something that updates itself really, and ideally isn't some sort of live API (which would be daft)... I mean, probability is fairly high we'll have some random extra one sooner rather than later when Charlie pops his clogs.

There is such a library, and the Minstry of Justice is one of its maintainers: https://pypi.org/project/govuk-bank-holidays/

Whodathunkit... (assuming this is a real official account.)

LiteLLM PyPI 감염 사건, AI 개발 공급망 공격이 작동하는 방식

https://aisparkup.com/posts/10533

AI 생산성 혁명이라는데, 데이터는 왜 조용한가

https://aisparkup.com/posts/10506

While I have to deal with all manner of garbage & malware throughout my workday, the redeeming part is that it's pushed me to improve my handling tooling.
So when a bigger issue happens, the tooling is super helpful with analysis and remediation.

#OpenSource #Python #SupplyChain #Security #PyPI #kaizen

TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

TeamPCP launched a sophisticated attack on the Telnyx Python SDK, publishing malicious versions 4.87.1 and 4.87.2 to PyPI. The attack represents an evolution from their previous LiteLLM campaign, incorporating WAV-based steganography, split-file code injection, and expanded platform support. The payload, activated on import, uses stealthy techniques to download and execute credential-stealing malware across Linux, macOS, and Windows systems. Key changes include the use of audio steganography to hide malicious code, improved evasion through split-file injection, and the addition of Windows support with Startup folder persistence. The attackers shifted from HTTPS to plaintext HTTP infrastructure, potentially exposing their activities to network monitoring. Organizations are advised to downgrade to the last clean version and treat affected systems as compromised.

Pulse ID: 69cabb96c63dbeb412355267
Pulse Link: https://otx.alienvault.com/pulse/69cabb96c63dbeb412355267
Pulse Author: AlienVault
Created: 2026-03-30 18:06:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CodeInjection #CyberSecurity #HTTP #HTTPS #ICS #InfoSec #Linux #Mac #MacOS #Malware #OTX #OpenThreatExchange #PyPI #Python #RAT #Steganography #Windows #bot #AlienVault