Mastodawn

Warning to open source maintainers: the Axios supply chain attack started with some
very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/

The Axios supply chain attack used individually targeted social engineering

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved …

Simon Willison’s Weblog

Seth Larson 2d ago

Niki 2d ago

I hope EU will make it illegal to advertise disk storage space in laptops/phones without accounting for OS. macOS takes up 20 Gbs? Well, it means it’s a 491 Gb disk, not 512 Gb

Might as well motivate OS manufacturers to slim down installation sizes

Seth Larson 2d ago

Python Package Index 2d ago

PSF Security developers have published incident reports on the LiteLLM & Telnyx #supplychain attacks. Read what happened, who's affected, and what developers & maintainers can do to prepare and protect themselves from future incidents. #security #python
https://blog.pypi.org/posts/2026-04-02-incident-report-litellm-telnyx-supply-chain-attack/

Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance - The Python Package Index Blog

Python Package Index shares insights and provides guidance following LiteLLM/Telnyx supply-chain attacks

Seth Larson 2d ago

RE: https://fosstodon.org/@pypi/116335453780319113

There is a ton in this report, like how @pypi is able to respond so quickly to malware thanks to our network of trusted reporters and how to keep yourself secure both as a maintainer and user of Python packages.

Seth Larson 3d ago

Hugo van Kemenade 4d ago

Please welcome Stan Ulbrych @stanfromireland as the newest member of the Python core team!

https://discuss.python.org/t/vote-to-promote-stan-ulbrych/106562

https://hugovk.github.io/python-core-team/by-year.html

https://fedidevs.com/s/Mzk/
#Python #CPython #CoreTeam

Vote to promote Stan Ulbrych

I’d like to propose promoting Stan Ulbrych (@Stanfromireland) to core developer. If you’ve been active in the repo lately you probably ran into this enthusiastic triager. I’m now at the proverbial point where applying his “I’d merge this” suggestions feel like a chore – and cases where I disagree feel like nitpicking. Stan started contributing at the end of 2024, was promoted to triager in June, and accumulated 340+ commits in main. He’s active in datetime (to the point where @pganssle asked ...

Discussions on Python.org

Seth Larson 3d ago

Zach Steindler 3d ago

You can do a lot of things with @sigstore: sign things with workload identity, get attestations in package managers like PyPI, etc. But there's some limitations. For instance, you can't verify a Sigstore bundle in a 16-bit DOS environment.

Until today. Introducing sigstore-c, which prioritizes portability over features (and correctness!) https://blog.sigstore.dev/sigstore-c/

Introduction sigstore-c - Sigstore Blog

Seth Larson 4d ago

Show thread

Tim Schilling 4d ago

@treyhunner wait, is r"" a raw string? In my head I've always interpreted that was a regular expression "string"

Seth Larson 4d ago

yossarian (1.3.6.1.4.1.55738)4d ago

I clearly need to start a wall of “trusted publishing would have prevented this” incidents

Edit: but not axios, maybe! Looks like that one may be full maintainer account compromise.

Seth Larson 5d ago

PyCon US 5d ago

🔐 Security Track Spotlight:
Join Hala Ali & Andrew Case at #PyConUS 2026 for "Post-Incident Runtime SBOM Generation from #Python Memory" and learn how to generate SBOMs from memory to uncover hidden dependencies and reduce false positives. #security

https://us.pycon.org/2026/schedule/presentation/104/

Seth Larson Mar 28

Received the #Lego #Gameboy as a gift! My chances of doing https://buildaboy.co have suddenly increased astronomically.

Blog	https://sethmlarson.dev
Signal	sethmlarson.99