npm Packages Hit with TeamPCP-Style CanisterWorm Malware

Malicious npm packages associated with Namastex.ai were compromised with malware exhibiting tradecraft similar to TeamPCP's CanisterWorm campaign. The attack targeted packages including @automagik/genie and pgserve, implementing install-time execution that harvests credentials, environment variables, SSH keys, cloud credentials, browser data, and crypto-wallet artifacts. The payload exfiltrates stolen data to both a conventional webhook at telemetry.api-monitor.com and an Internet Computer Protocol canister endpoint. It incorporates self-propagation logic to compromise additional npm packages using stolen publishing tokens and includes cross-ecosystem spreading capabilities targeting PyPI. The malware uses hybrid encryption with RSA and AES-256-CBC for data exfiltration. Multiple package namespaces were affected, suggesting shared infrastructure or coordinated compromise across publisher accounts.

Pulse ID: 69e8f5ba273a5389cb4d03f5
Pulse Link: https://otx.alienvault.com/pulse/69e8f5ba273a5389cb4d03f5
Pulse Author: AlienVault
Created: 2026-04-22 16:22:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #ELF #Encryption #Endpoint #InfoSec #Malware #NPM #OTX #OpenThreatExchange #PyPI #RAT #SSH #Worm #bot #AlienVault

Looks like there aren't any issue #python issue/bug trackers that are
- easy to install (eliminates trac, roundup)
- can be found in #pypi (is just bad SEO?)
- isn't actually mostly a github clone (Kallithea)
- isn't actually help desk software (call center & tickets to fix printers I guess.)

Really? I'm torn between wanting to write trac-init, roundup-init and just writing what should be yet-another-issue-tracker.

RE: https://s.ovalerio.net/@dethos/116376071356641511

"A curated and practical list of security best practices for using Python packages from PyPI."

https://github.com/lirantal/pypi-security-best-practices

#security #supplychain #python #pypi #pip #uv

A great collection of #PyPI registry package manager #security best practices featuring uv and pip

https://github.com/lirantal/pypi-security-best-practices

#python #development

Beep, Beep - I am your friendly #Snakemake release announcement bot.

There is a new release of the 𝐒𝐧𝐚𝐤𝐞𝐦𝐚𝐤𝐞 𝐑𝐞𝐩𝐨𝐫𝐭𝐞𝐫 𝐏𝐋𝐮𝐠𝐢𝐧 𝐟𝐨𝐫 𝐍𝐚𝐧𝐨𝐩𝐮𝐛𝐬 systems. Its version now is 0.1.0!

Give us some time, and you will automatically find the plugin on #Bioconda and #Pypi.

This plugin is relevant for Snakemake users willing to publish
Software Metadata easyly.
The maintainer is here on Mastodon @rupdecat.

If you discover any issues, please report them on https://github.com/snakemake/snakemake-report-plugin-nanopub/issues.

See https://github.com/snakemake/snakemake-report-plugin-nanopub/releases/tag/v0.1.0 for details. Here is the header of the changelog:

Как опубликовать Python-пакет в PyPI с помощью Poetry

Как создать и подготовить пакет к публикации с помощью Poetry и обойти подводные камни которые могут помешать это сделать.

https://habr.com/ru/articles/1024972/

#python #poetry #pypi #package #publish #tutorial

This is a neat solution for those old Python projects that have no uv, pyproject.toml, or version-pinned requirements.txt. It allows you to go "back in time" with pip!

https://pypi.org/project/pypi-timemachine/

Edit: @bk1e pointed out pip >= 26 has this option built-in. Use `--uploaded-prior-to `!

#python #pip #pypi

I made a thing, a soundscape based on #PyPI package data feed updates 🎶🐍📦🎶

Maybe you'll enjoy it too?
https://miketheman.github.io/listen-to-pypi/

Beep, Beep - I am your friendly #Snakemake release announcement bot.

There is a new release of the 𝐒𝐧𝐚𝐤𝐞𝐦𝐚𝐤𝐞 𝐄𝐱𝐞𝐜𝐮𝐭𝐨𝐫 𝐏𝐥𝐮𝐠𝐢𝐧 𝐟𝐨𝐫 𝐒𝐋𝐔𝐑𝐌 systems. Its version now is 2.6.1!

Give us some time, and you will automatically find the plugin on #Bioconda and #Pypi.

This plugin is relevant for #HPC users using the #SLURM batch system.
The maintainers are here on Mastodon -
@rupdecat and @johanneskoester.

If you discover any issues, please report them on https://github.com/snakemake/snakemake-executor-plugin-slurm/issues.

See https://github.com/snakemake/snakemake-executor-plugin-slurm/releases/tag/v2.6.1 for details. Here is the header of the changelog:
𝑅𝑒𝑙𝑒𝑎𝑠𝑒 𝑁𝑜𝑡𝑒𝑠 (𝑝𝑜𝑠𝑠𝑖𝑏𝑙𝑦 𝑎𝑏𝑏𝑟𝑖𝑔𝑒𝑑):
𝐁𝐮𝐠 𝐅𝐢𝐱𝐞𝐬

* code refactoring: https://github.com/snakemake/snakemake-executor-plugin-slurm/issues/451
* handle integer slurm_account values from YAML parsing: https://github.com/snakemake/snakemake-executor-plugin-slurm/issues/448

The PSF is looking for a PyPI Sustainability Engineer to join the team! This is a full time, 1-year contract (with the possibility of renewal), globally remote position. If you love #Python, care about open source, and want your work to matter at infrastructure scale–consider applying! Please boost this post and share with your colleagues and networks. #PyPI #Python

https://pythonsoftwarefoundation.applytojob.com/apply/xz5k3X31UQ/Sustainability-Engineer-PyPI
https://pythonsoftwarefoundation.applytojob.com/apply/xz5k3X31UQ/Sustainability-Engineer-PyPI