Jeff Schulman 

@[email protected]
138 Followers
616 Following
401 Posts
Ph.D Student (Informatics) & Adjunct Faculty at Penn State. Director, Netskope Government Services. Founder, Manteio Company. Systems Architect & Strategist. USMC Veteran. YIMBY.
Jeff Schulman May 2, 2025
We are!
Jeff Schulman Sep 8, 2024
Ravi NayyarSep 8, 2024

'When developers remove their projects from the PyPI repository, the associated package names immediately become available for registration by any other user.

'Many CI/CD machines are already set up to install these packages automatically ...

'The pip install --upgrade command ... replaces the original package with our imposter package ...

'pip won’t show any warnings despite the fact that the package’s author has changed.

'Considered only [non-malicious/spam] packages that had more than 100K downloads OR were active for more than six months.

'... left with a list of more than 22K packagesthat are susceptible to “Revival Hijack”.

'On average, 309 packages are removed each month ...

'... 3 months later ... we have almost 200K downloads of these “safely hijacked” packages.

'... it would be very safe to say that code execution would occur in the vast majority of these cases.

'Almost immediately after the name became available, an account named Jinnis <[email protected]> published a package under the same name ...

'A few days later, on April 12, 2024, the new developer released an update containing the malicious payload promptly detected by our team.

'We fully advocate PyPI to adopt a stricter policy which completely disallows a package name from being reused. In addition, PyPI users need to be aware of this potential attack vector when considering upgrading to a new package version'.

This is a serious platform governance and an end-user software SCRM problem.
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/

Revival Hijack - PyPI hijack technique exploited in the wild, puts 22K packages at risk

JFrog’s security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment. This blog details a PyPI supply chain attack technique the JFrog research team discovered had been recently exploited in the wild. This attack technique …

JFrog
Jeff Schulman Mar 27, 2024
Show threaddaniel:// stenberg://Mar 26, 2024
1. curl is not made by me alone. I lead the project, we are over a *thousand* authors in total
2. I work full-time on providing curl support to paying customers. Some would call it a business.
3. Not "a" billion people. More like 6 billion or so; every human on the globe that is Internet-connected uses things that use curl - daily.
Jeff Schulman Feb 3, 2024
Scott SantensJan 31, 2024
Did you know that #basicincome experiments have shown time and time again that given the choice, people don't choose idleness? They choose education. They choose entrepreneurship. They pursue culture and care. By guaranteeing survival, universal basic income enables truly living.
Jeff Schulman Dec 29, 2023
Chris GeidnerDec 29, 2023
Over the weekend, I wrote at Law Dork about the Trump legal questions facing SCOTUS specifically and the courts more broadly. There's a lot in it, so check it out and subscribe, but I want to highlight this section tonight: https://www.lawdork.com/p/trump-cases-courts-and-accountability
With Trump cases, the courts now must play their role in accountability

It is not anti-democratic to use the tools of our government to hold a person accountable for past anti-democratic actions.

Law Dork
Jeff Schulman Dec 22, 2023
I really have a heart for Uganda. Here's another effort to help make things better there: https://www.gofundme.com/f/each-day-we-have-a-choice
Each Day We Have a Choice...., organized by Lindsay Light

Hello Friends & Family! Meet my friends Biyinzika Yusuf & his beautiful wife Shilah K… Lindsay Light needs your support for Each Day We Have a Choice....

gofundme.com
Jeff Schulman Dec 13, 2023
Taggart Dec 13, 2023
TIL Microsoft makes a JSON and spreadsheet version of their threat actor naming conventions available. Pretty handy if you deal with multiple vendors' #ThreatIntel
mstic/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json at master · microsoft/mstic

Microsoft Threat Intelligence. Contribute to microsoft/mstic development by creating an account on GitHub.

GitHub
Jeff Schulman Dec 10, 2023
toomas ilves, ex-verifDec 10, 2023

https://cyberscoop.com/russia-hollywood-actors-zelensky/
Russian information operation uses US celebrity Cameos to attack Zelensky.
Kremlin propagandists tricked a half dozen celebrities into recording videos urging Ukraine's president to seek treatment for substance abuse.

🐦🔗: https://nitter.cz/IlvesToomas/status/1733935697600413784#m

[2023-12-10 19:44 UTC]

Russian information operation uses U.S. celebrity Cameos to attack Zelensky

Kremlin propagandists tricked a half dozen celebrities into recording videos urging Ukraine's president to seek treatment for substance abuse.

CyberScoop
Jeff Schulman Nov 22, 2023
Julia AngwinNov 21, 2023

No matter how it shakes out at OpenAI, one thing is clear: all of the leading AI companies are firmly for-profit entities and the illusion of OpenAI as a nonprofit optimizing for humanity is gone.

My latest for New York Times Opinion imagines what it would take to truly build AI in the public interest (spoiler: it could look like public libraries, but for compute):

(gift link)

https://www.nytimes.com/2023/11/21/opinion/the-sam-altman-openai-board-microsoft.html?unlocked_article_code=1.AE0.USnQ.Or3s2jZFvj_R&smid=url-share

Opinion | The OpenAI Coup Is Great for Microsoft. What Does It Mean for Us?

The OpenAI fracas most likely cements control of one of the most powerful and promising technologies on the planet under one of this country’s tech titans.

The New York Times
Jeff Schulman Nov 19, 2023
Loving Ambivalent Curiosity