PyPI package with 1.1M monthly downloads hacked to push infostealer

An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive ...

PyPI遭投毒!LiteLLM用户Python启动就中招,个人凭证秒泄露

随后,LiteLLM的CI/CD在构建过程中接触到了被污染的Trivy,并让攻击者窃取到了维护者的PyPI凭证。利用该凭证,攻击者先后发布恶意版本LiteLLM 1.82.7和LiteLLM 1.82.8。
电子工程专辑

【Python学习笔记】|PyPI使用国内源(pip更换国内源)

今天,我在学习及实践使用 Python 虚拟环境时,下载相应库文件,直接使用 pip 下载,结果因下载速度过于实在太慢导致始终 ...
Dark Reading

Novel PyPI Malware Uses Compiled Python Bytecode to Evade Detection

In a new twist on software supply chain attacks, researchers have discovered a Python package hiding malware inside of compiled code, allowing it to evade ordinary detection measures. On April 17, ...
腾讯网

警惕!PyPI Python软件包存在多种恶意代码

近日,研究人员发现Python软件包索引(PyPI)中存在四个不同的流氓软件包,包括投放恶意软件,删除netstat工具以及操纵SSH authorized_keys文件。 存在问题的软件包分别是是aptx、bingchilling2、httops和tkint3rs,这些软件包在被删除之前总共被下载了约450次。其中aptx是 ...
Bleeping Computer

Malicious Python Package Available in PyPI Repo for a Year

Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers' projects. One of them, using ...
Dark Reading

One-Third of Popular PyPI Packages Mistakenly Flagged as Malicious

The scanners tasked with weeding out malicious contributions to packages distributed via the popular open source code repository Python Package Index (PyPI) create a significant number of false alerts ...
ZDNet

Malicious Python libraries targeting Linux servers removed from PyPI

A security firm found three malicious Python libraries uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on ...