Python Software Foundation6h ago

The PSF's PyPI Safety and Security Engineer, @miketheman, is giving a keynote at OpenSSF Community Day this Thursday! "Anatomy of a Phishing Campaign" is a deep dive into the 2025 PyPI phishing attack, how it worked, and what stopped it.

Thu May 21 @ 9:20am CDT ๐Ÿ‘‰ https://openssfcdna2026.sched.com/event/2I44z

#Python #PyPI #SupplyChain #Security
https://openssfcdna2026.sched.com/event/2I44z

OpenSSF Community Day North America 2026: Keynote: Anatomy of a Phishing Campaign...

View more about this event at OpenSSF Community Day North America 2026

sayzard20h ago

PyPI packages are increasing rapidly

PyPI์—์„œ ์ฃผ๊ฐ„ ์‹ ๊ทœ ํŒจํ‚ค์ง€ ๋ฒ„์ „ ์ˆ˜๊ฐ€ ์ตœ๊ทผ ๋ช‡ ๋‹ฌ๊ฐ„ 30% ์ด์ƒ ๊ธ‰์ฆํ•˜๋ฉฐ, AI ๊ด€๋ จ ํŒจํ‚ค์ง€ ์ถœ์‹œ์— ํฌ๊ฒŒ ๊ธฐ์ธํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋กœ ์ธํ•ด PyPI ์œ ์ง€๋ณด์ˆ˜์ž๋“ค์˜ ๋ถ€๋‹ด์ด ์ปค์ง€๊ณ  ์žˆ์œผ๋ฉฐ, ์•…์„ฑ ์ฝ”๋“œ ํƒ์ง€ ๋„๊ตฌ์ธ hexora๋Š” eval, exec, subprocess๋ฅผ ๋‚จ์šฉํ•˜๋Š” ํŒจํ‚ค์ง€๋“ค์ด ๋งŽ์•„ ์˜คํƒ์ด ์ฆ๊ฐ€ํ•˜๋Š” ๋ฌธ์ œ๋ฅผ ์ง€์ ํ•ฉ๋‹ˆ๋‹ค. ์ผ๋ถ€ ํŒจํ‚ค์ง€๋Š” ํ•˜๋ฃจ์— ์ˆ˜๋ฐฑ ๋ฒˆ์”ฉ ๋ฐ˜๋ณต ์ถœํŒํ•˜๋Š” ๋น„์ •์ƒ์  ํ–‰ํƒœ๋„ ๊ด€์ฐฐ๋˜์–ด ์ƒํƒœ๊ณ„ ์•ˆ์ •์„ฑ๊ณผ ๋ณด์•ˆ์— ์œ„ํ˜‘์ด ๋˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ์ถ”์„ธ๋Š” ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ ๋Œ€์‘๊ณผ ์ƒํƒœ๊ณ„ ๊ด€๋ฆฌ์— ์‹ค์งˆ์  ์–ด๋ ค์›€์„ ์ดˆ๋ž˜ํ•  ์ „๋ง์ž…๋‹ˆ๋‹ค.

https://rushter.com/blog/pypi-packages/

#pypi #python #security #supplychain #opensource

PyPI packages are increasing rapidly

My thought on increased amount of packages published to PyPi.

Artem Golubin
github.com/ghostwriter21h ago

> 120 malicious packages have been pulled from RubyGems

https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html

For those counting: #npm, #PyPI, #RubyGems, #cargo #NuGet, #packagist and #Maven so farโ€ฆ

RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded

RubyGems halted new registrations after a major attack involving hundreds of malicious packages, increasing supply chain risks.

The Hacker News
David Lord 22h ago
XOBytes, the friendly hug of data sizes. (Thanks to Fastly for providing exabytes of bandwidth to the PSF and PyPI for free ๐Ÿคฏ) #PyConUS #PyPI #Python
Kevin Brown-Silva22h ago

Now that the keynote is over, here are the open spaces that you can check out after the security update and the first talks after lunch. The job fair and poster sessions are also happening and I would recommend checking those out if you're interested.

Starting at 10:00 AM:

Room 102A: #Conda x #PyPI: Building Bridges That Actually Hold
Room 102B: Scroll Lock Zine
Room 102C: The Python Developers Survey: What Would YOU Ask?
Room 202C: Financial Data with Python

#PyConUS #PyConUSOpenSpaces

Seth Larson1d ago

The #PyConUS #Security Track fires back up after lunch! See you at 1:45PM in Room 103ABC where Python core developer Emma Smith (@emmatyping) will be talking about โ€œRust and CPythonโ€.

Don't miss it!! ๐Ÿฆ€๐Ÿ

https://us.pycon.org/2026/schedule/presentation/1/

#rust #python #pyconus2026 #supplychain #memorysafety #pypi

Rust for CPython: Making Python Safer and More Robust for Everyone

You're running a program written in Python and suddenly Segmentation fault (Core dumped) - your program crashed. Wait what? Python โ€ฆ Presented by: Emma Smith

PyCon US 2026
David Lord 1d ago
Great start to @psobot lightning talk "@chrisjrn you will not regret letting me give a lightning talk ... Here's my live demo of how to make PyPI perfectly secure ... pip install flask ... floppy disk required ... @sethmlarson do you have a copy of Flask for me?" *inserts disk into floppy disk reader* flopyPI #python #pyconus #flask #pypi
stfn2d ago
New blog post!

In which I do alliteration and inform that version 0.3.0 of my project, Pyriodic Backend has been released to PyPi!

Pyriodic Backend, The Backend for the Static Web, is a a framework to, well, periodically, update content and styling of static websites using simple Python.

I hope it will be useful with the current revival of small, personal websites written in pure HTML.

And now version 0.3.0 is released which adds ways to modify not only the content of the webpage, but also its styling, and also adds predefined methods for common usecases.

Blog post: https://stfn.pl/blog/99-pyriodic-backend-3/

Link to PyPi: https://pypi.org/project/pyriodic-backend/

And here's my cat :)

#python #pypi #smallWeb #webDevelopment #HTML #blog #CatsOfMastodon
Matthew Martin2d ago

It is still got a way to go but here is a tool for making the missing #pypi user profile.

But Matt, where do you put the signature or rel=me? In a package!

Pypi is pretty meager for profile info, but you can publish a #python package with a whole website in it.

https://pypi.org/project/pypi-profile/0.1.0/

Client Challenge

Python Software Foundation3d ago
๐Ÿ” Catch PSF's PyPI Safety and Security Engineer, @miketheman, talking Trusted Publishing at #OSSummit next week! Learn how to eliminate long-lived credentials from your #PyPI release workflow: no tokens, no secrets, just secure deploys. Tue May 19 @ 11am CDT #Python #SupplyChain #Security
https://osselcna2026.sched.com/event/2JQsc
Open Source Summit + Embedded Linux Conference North America 2026: Trusted Publishing: Eliminating Credenti...

View more about this event at Open Source Summit + Embedded Linux Conference North America 2026