GitHub

lirantal/pypi-security-best-practices

Source distributions (sdist) can execute arbitrary code during installation via setup.py, making them a common attack vector for supply chain attacks. Unlike pre-built wheels, source distributions ...
ニューズピックス

Pythonパッケージリポジトリ「PyPI」にマルウェア混入、注意を

この記事に対するご意見や感想を投稿してみませんか。
MSN による配信

Sony confirms PS Store 30-day lock and major PyPI breach

In the PyPI attack, a malicious pull request exploited a script-injection flaw in a GitHub Actions workflow to add base64-encoded infostealer code to release 0.23.3, also affecting the project's ...
GitHub

pypi-publish

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace. Trusted Publishing is sometimes referred to by its ...
The Hacker News

TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more ...