overflowy1d ago

Telnyx package compromised on PyPI

https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm

Popular telnyx package compromised on PyPI by TeamPCP

The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCP

Show threadmil221d ago

For those using uv, you can at least partially protect yourself against such attacks by adding this to your pyproject.toml:

[tool.uv]
exclude-newer = "7 days"

or this to your ~/.config/uv/uv.toml:

exclude-newer = "7 days"

This will prevent uv picking up any package version released within the last 7 days, hopefully allowing enough time for the community to detect any malware and yank the package version before you install it.

Show threadTZubiri

Nice feature. However uv is suspect at the moment, in the sense that it is designed as a pip replacement to overcome issues that only exist when supply chains are of a size that isn't safe to have.

So any project that has UV and any developer that tries to get uv into a project is on average less safe than a project that just uses pip and a requirements.txt

Mar 27 at 7:38pmWeb
Show threadImustaskforhelp1d ago
I really am not able to follow this line of reasoning, I am not sure if what you said makes sense and how it relates to uv having a security feature to be on average less safe :/
Show threadsdoering1d ago

Sorry - call me uninformed. But I do not really understand how choosing uv makes me less safe than using pip.

Care to explain? Would love to learn.

Show threadjcass86951d ago
It is a bit of a leap. They are saying that if you are using uv, then you likely have a broad set of dependencies because you require a dependency management tool, therefore you are more susceptible to a supply chain attack by virtue of having a wider attack surface.
Show threadpaulddraper1d ago

Huh?

Wanting a better pip means I am unsafe?

Show threadjoshred1d ago
This is complete nonsense. pip has all the same problems that you say uv has.