Sponsored
Project Quarantine

By:
On:
In: Website

Earlier this year, I wrote briefly about new functionality added to PyPI, theability to quarantine projects.This feature allows PyPI administrators to mark a project as potentially harmful,and prevent it from being easily installed by users to prevent further harm. In this post I’ll discuss the implementation, and further improvements toContinue Reading

Supply-chain attack analysis: Ultralytics

By:
On:
In: Website

Last week, the Python project “ultralytics” suffered a supply-chain attack through a compromise of the projects’ GitHub Actions workflows and subsequently its PyPI API token. No security flaw in PyPI was used to execute this attack. Versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46 were affected and have been removed from PyPI.Continue Reading