Habr1d ago

PyPi блокирует добавление модулей из России?

Это скорее вопрос, чем констатация факта. Последний раз загружал twine 'ом обновление своего модуля 11 июня. И последние дня 4-5 безуспешно пытался опубликовать еще одну библиотеку. Я уже "напряг" ChatGPT, проверил все - токен "для всех проектов", .whl и tar.gz маленькие и не битые, загружается что то одно до 100% и висит. Пробовал по одному - такая же картина. Пробовал с помощью curl - тоже самое:

https://habr.com/ru/articles/919422/

#pyton #pypi

PyPi блокирует добавление модулей из России?

Это скорее вопрос чем констатация факта. Последний раз загружал twine 'ом обновление своего модуля 11 июня. И последние дня 4-5 безуспешно пытался опубликовать еще одну библиотеку. Я уже "напряг"...

Хабр
曖昧ナ犬1d ago

#PyPI に潜むChimera Sandbox偽装マルウェア JFrogが警鐘 - イノベトピア - innovaTopia

マルウェアがコマンド&コントロールサーバーと通信するためのドメイン名を自動生成するアルゴリズム。 Jamfレシート. Jamf ProなどのmacOS管理 ...
https://innovatopia.jp/cyber-security/cyber-security-news/57807/

PyPIに潜むChimera Sandbox偽装マルウェア──JFrogが警鐘 - イノベトピア

2025年6月10日頃、Pythonパッケージインデックス(PyPI)に「chimera-sandbox-ex

innovaTopia -(イノベトピア) - ーTech for Human Evolutionー
OTX BotJun 11

PyPI Malware Exploits Instagram Growth Tools to Harvest Credentials

Pulse ID: 68496f698c9d93ca338f0790
Pulse Link: https://otx.alienvault.com/pulse/68496f698c9d93ca338f0790
Pulse Author: cryptocti
Created: 2025-06-11 11:58:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Instagram #Malware #OTX #OpenThreatExchange #PyPI #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Sam Stepanyan  🐘Jun 9
#NPM: New Supply Chain #Malware Hits NPM and #PyPI Package Ecosystems. #ReactNative-Aria & #GlueStack packages with cumulative 1mln+ weekly downloads backdoored overnight - check your dependencies!
#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html
New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally

Supply chain attack infects 16 GlueStack npm packages used by 1M weekly users, enabling malware that steals data and controls systems.

The Hacker News
SebastianJun 6
Paquetes maliciosos de #PyPI, #npm y #Ruby se han encontrado en ataques continuos a la #supplychain de código abierto
https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/paquetes-maliciosos-de-pypi-npm-y-ruby-se-encontraron-en-ataques-continuos-a-la-cadena-de-suministro-de-codigo-abierto/
Paquetes maliciosos de PyPI, npm y Ruby se encontraron en ataques continuos a la cadena de suministro de código abierto - Masterhacks Blog

Paquetes maliciosos de PyPI, npm y Ruby se han encontrado en ataques continuos a la supplychain de código abierto

Masterhacks Blog
mgorny-nyan (on) 🙀🚂🐧Jun 6

No i mamy kolejny powód, żeby nie używać #PythonPoetry. Właśnie wynaleźli na nowo "reproducible build", i wyszło jak zwykle. Całkiem przeoczyli cały sens tego pomysłu, i zaczęli wymuszać znaczniki czasu na plikach w archiwach źródłowych. A do tego, jak SOURCE_DATE_EPOCH nie jest ustawione, to zamiast wyłączać tę funkcję, wymuszają znacznik zerowy.

Tak więc wszystkie archiwa sdist tworzone przez Poetry i wrzucane na #PyPI dziś mają daty z roku 1970, co powoduje przypadkowe problemy. A najbardziej absurdalne w tym jest to, że ZIP nie obsługuje takich dat, więc kiedy tworzą archiwa binarne wheel, to nadpisuję tę datę inną przypadkową datą 🤦.

https://github.com/python-poetry/poetry/issues/10083

Poetry v2 attaches the epoch timestamp to all files in the sdist .tar.gz file · Issue #10083 · python-poetry/poetry

Description I noticed this when I went to package cedar-backup3 v3.9.1 for Debian. I built and uploaded the .deb, and then Debian FTP Masters rejected the upload because some files were too old. It...

GitHub
mgorny-nyan (he) 🙀🚂🐧Jun 6

New reason not to use #PythonPoetry just dropped: they reinvented "reproducible builds", poorly. The problem is, they missed the purpose of reproducible builds entirely and they use it for source distributions too, and when you don't use SOURCE_DATE_EPOCH, they force all files to epoch (as in timestamp 0) instead of leaving them alone.

Like, all source distributions created by Poetry and uploaded to #PyPI now have 1970 timestamps that, simply speaking, break stuff. The most absurd thing is that ZIP can't handle that timestamp, so they override it and use another date for wheels 🤦.

https://github.com/python-poetry/poetry/issues/10083

#Gentoo #PEP517

Poetry v2 attaches the epoch timestamp to all files in the sdist .tar.gz file · Issue #10083 · python-poetry/poetry

Description I noticed this when I went to package cedar-backup3 v3.9.1 for Debian. I built and uploaded the .deb, and then Debian FTP Masters rejected the upload because some files were too old. It...

GitHub
OTX BotJun 4

Fake Solana Tool on PyPI Used to Steal Source Code

Pulse ID: 6840208305b1b70ff9ee75fa
Pulse Link: https://otx.alienvault.com/pulse/6840208305b1b70ff9ee75fa
Pulse Author: cryptocti
Created: 2025-06-04 10:31:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PyPI #RCE #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Frederik ElwertJun 4
You want to use a #StaticSiteGenerator and need to support #multilingual sites? It’s now easier than ever! For quite a while, #Pelican had a great plugin for that use case. Now I helped migrate it to the new plugin format, which means that it can easily be installed from #PyPI. https://github.com/pelican-plugins/i18n-subsites #MultilingualDH #MinimalComputing
GitHub - pelican-plugins/i18n-subsites: Pelican plugin that creates internationalized sub-sites for the default site

Pelican plugin that creates internationalized sub-sites for the default site - pelican-plugins/i18n-subsites

GitHub
OTX BotJun 2

PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion

A malicious package campaign targeting Python and NPM users on Windows and Linux has been discovered. The attack uses typo-squatting and name-confusion tactics against the popular colorama Python package and the similar colorizr JavaScript package. Multiple packages with risky payloads were uploaded to PyPI, using names similar to legitimate packages in both PyPI and NPM. The unusual tactic of using an NPM package name to attack PyPI users was observed. The payloads allow remote access, control of desktops and servers, and exfiltration of sensitive data. Windows payloads attempt to bypass antivirus protection. The campaign's sophistication suggests targeted adversarial activity, although attribution remains unclear.

Pulse ID: 683e1f7f063d60138cc2ccf6
Pulse Link: https://otx.alienvault.com/pulse/683e1f7f063d60138cc2ccf6
Pulse Author: AlienVault
Created: 2025-06-02 22:02:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Colorama #CyberSecurity #ICS #InfoSec #Java #JavaScript #Linux #NPM #OTX #OpenThreatExchange #PyPI #Python #RAT #SupplyChain #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange