Mastodawn

The #PyConUS #Security Track fires back up after lunch! See you at 1:45PM in Room 103ABC where Python core developer Emma Smith (@emmatyping) will be talking about “Rust and CPython”.

Don't miss it!! 🦀🐍

https://us.pycon.org/2026/schedule/presentation/1/

#rust #python #pyconus2026 #supplychain #memorysafety #pypi

Rust for CPython: Making Python Safer and More Robust for Everyone

You're running a program written in Python and suddenly Segmentation fault (Core dumped) - your program crashed. Wait what? Python … Presented by: Emma Smith

PyCon US 2026

David Lord

16h ago

Great start to @psobot lightning talk "@chrisjrn you will not regret letting me give a lightning talk ... Here's my live demo of how to make PyPI perfectly secure ... pip install flask ... floppy disk required ... @sethmlarson do you have a copy of Flask for me?" *inserts disk into floppy disk reader* flopyPI #python #pyconus #flask #pypi

stfn 17h ago

New blog post!

In which I do alliteration and inform that version 0.3.0 of my project, Pyriodic Backend has been released to PyPi!

Pyriodic Backend, The Backend for the Static Web, is a a framework to, well, periodically, update content and styling of static websites using simple Python.

I hope it will be useful with the current revival of small, personal websites written in pure HTML.

And now version 0.3.0 is released which adds ways to modify not only the content of the webpage, but also its styling, and also adds predefined methods for common usecases.

Blog post: https://stfn.pl/blog/99-pyriodic-backend-3/

Link to PyPi: https://pypi.org/project/pyriodic-backend/

And here's my cat :)

#python #pypi #smallWeb #webDevelopment #HTML #blog #CatsOfMastodon

Matthew Martin 1d ago

It is still got a way to go but here is a tool for making the missing #pypi user profile.

But Matt, where do you put the signature or rel=me? In a package!

Pypi is pretty meager for profile info, but you can publish a #python package with a whole website in it.

https://pypi.org/project/pypi-profile/0.1.0/

Client Challenge

Python Software Foundation 1d ago

🔐 Catch PSF's PyPI Safety and Security Engineer, @miketheman, talking Trusted Publishing at #OSSummit next week! Learn how to eliminate long-lived credentials from your #PyPI release workflow: no tokens, no secrets, just secure deploys. Tue May 19 @ 11am CDT #Python #SupplyChain #Security
https://osselcna2026.sched.com/event/2JQsc

Open Source Summit + Embedded Linux Conference North America 2026: Trusted Publishing: Eliminating Credenti...

View more about this event at Open Source Summit + Embedded Linux Conference North America 2026

sayzard 2d ago

Ask HN: How do you defend against supply chain attacks today?

최근 NPM과 PyPI 패키지에서 소프트웨어 공급망 공격이 빠르게 증가하고 복잡해지고 있다. 기존 의존성 스캐너는 대응 속도가 느리고, 자동 업데이트는 악성코드 포함 위험이 있어 효과적이지 않다. 모든 의존성 버전을 일일이 감사하는 것은 비용이 많이 들기 때문에, 개발자들은 보다 효율적이고 신속한 공급망 공격 방어 전략을 모색 중이다.

https://news.ycombinator.com/item?id=48134972

#supplychainsecurity #npm #pypi #dependencysecurity #softwaresecurity

Matthew Martin 2d ago

<at my funeral>: "And I leave my remaining wealth to the first heir to contractually agree with the estate to maintain my 55 #pypi packages and update them forever."

I'm pretty sure that is what companies think open source maintainers do.

Snakemake Release Robot 3d ago

BEEP, BEEP - I am your friendly #Snakemake release announcement bot.

There is a new release of Snakemake. Its version now is 9.21.0!

Give us some time, and you will automatically find it on #Bioconda and #Pypi.

The maintainer is here on Mastodon -
@johanneskoester .

If you discover any issues, please report them on https://github.com/snakemake/snakemake/issues.

See https://github.com/snakemake/snakemake/releases/tag/v9.21.0 for details. Here is the header of the changelog:
𝑅𝑒𝑙𝑒𝑎𝑠𝑒 𝑁𝑜𝑡𝑒𝑠 (𝑝𝑜𝑠𝑠𝑖𝑏𝑙𝑦 𝑎𝑏𝑏𝑟𝑖𝑔𝑒𝑑):
𝐅𝐞𝐚𝐭𝐮𝐫𝐞𝐬

* add a function to help with prepending arguments to filenames; close [#672]: https://github.com/snakemake/snakemake/issues/672, https://github.com/snakemake/snakemake/issues/4090

𝐁𝐮𝐠 𝐅𝐢𝐱𝐞𝐬

* close plugin handlers after draining QueueListener in LoggerManager.stop: https://github.com/snakemake/snakemake/issues/4137

𝐏𝐞𝐫𝐟𝐨𝐫𝐦𝐚𝐧𝐜𝐞 𝐈𝐦𝐩𝐫𝐨𝐯𝐞𝐦𝐞𝐧𝐭𝐬

* adjust default sqlite PRAGMAs, auto detect network fstype: https://github.com/snakemake/snakemake/issues/4152

Analyst207 3d ago

Malware Worm Targets npm, PyPi in Mass Supply-Chain Attack

A self-spreading worm, dubbed Mini Shai-Hulud, has infected over 170 packages with nearly 180 million weekly downloads, posing a massive threat to the software supply chain. This highly contagious malware has been open-sourced, making it easier for others to exploit and escalate the attack.

https://osintsights.com/malware-worm-targets-npm-pypi-in-mass-supply-chain-attack?utm_source=mastodon&utm_medium=social

#SupplyChain #MalwareOperations #Npm #Pypi #Shaihulud

Malware Worm Targets npm, PyPi in Mass Supply-Chain Attack

Learn how the Mini Shai-Hulud malware worm infects npm and PyPi packages, and take action now to secure your supply chain from this massive threat. Read the full report today.

OSINTSights

Thomas Fricke (he/his)4d ago

https://www.golem.de/news/supply-chain-angriff-hunderte-von-npm-und-pypi-paketen-kompromittiert-2605-208562.html

"Bei den meisten ... handelt es sich um NPM-Pakete. ... aber auch Pakete aus dem Python Package Index (PyPI) betroffen, etwa von Mistral AI und Guardrails AI. Die Angreifer haben jeweils Schadcode eingeschleust, der der bereits genannten Datenausleitung dient. Auf die Zielsysteme gelangt er in Form einer rund 2,3 MByte großen und stark verschleierten Datei namens router_init.js."

#pypi ist tief in #ai und ein war Argument für die Gründung von
@sovtechfund

#security

Supply-Chain-Angriff: Hunderte von NPM- und PyPI-Paketen kompromittiert - Golem.de

Die Hackergruppe TeamPCP gräbt sich erneut durch unzählige NPM- und Python-Pakete und verbreitet Schadcode, der vor allem Zugangsdaten sammelt.

Golem.de