An attack on the npm ecosystem continues to evolve, exploiting compromised accounts to publish malicious packages. This campaign, dubbed Shai-Hulud,…
We've implemented a new security feature designed to protect PyPI users from phishing attacks: email verification for TOTP-based logins from…
Trusted Publishing has proven popular since its launch in 2023. Recap: Trusted Publishing enables software build platforms to publish packages…
Unfortunately the string of phishing attacks using domain-confusionand legitimate-looking emails continues. This is the same attack PyPI saw a few…
SummaryI recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI…
SummaryPyPI now checks for expired domains to prevent domain resurrection attacks,a type of supply-chain attack where someone buys an expired…
PyPI now serves project status markers in its standardindex APIs. This allows downstream consumers (like Python package installers andindex mirrors)…
The Python Package Index is introducing new restrictions to protectPython package installers and inspectors from confusion attacks arisingfrom ZIP parser…
Incident Report: Phishing AttackOver the past few days, a phishing attack targeting PyPI users via email was uncovered.Our initial report…
A follow-up to the previous post.We have since learned that the campaign was orchestratedby the company that owns the inbox.ru…
This website uses cookies.