Man, I wish we had the equivalent of Jon Gjengset's outstanding "De-crusting The $X Crate" #rust videos for #python #pypi packages.

The format is beautiful. Let's peel back the covers on some code library we all use and REALLY understand what's going on under the covers.

Am I missing out? Is there somebody out there doing work like this? Please throw me a line if you're in the know :) Thanks!

#Python: Malicious #PyPI Packages Stole #Cloud #Tokens—Over 14,100 Downloads Before Removal
https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html

#2FA-siirto etenee: #Firefox siirretty #googleauthenticator'ista #Aegis'iin, #PyPI Aegisiin ja #Yubikey'hin. #atkjuttuja

Są dni, kiedy jestem naprawdę już zmęczony podejściem autorów oprogramowania do twórców dystrybucji. Nie chodzi tylko o niewdzięczność — to wręcz ignorowanie ogromu pracy, jaki wkładamy, żeby to wszystko trzymało się kupy. A jakby nie patrzeć, to cały czas polegają na naszej pracy.

Może nie używają #Gentoo. Może ich distro to #Debian, #Fedora, #Arch, jakaś ich pochodna, albo coś zupełnie innego. Czy to znaczy, że wysiłek wkładany przez Gentoo się nie liczy? A co, jeżeli ten sam problem spotyka twórców dystrybucji, używanej przez nich? A jeżeli nawet nie, to czy autorzy oprogramowania, którzy akurat używają Gentoo, powinni teraz być wrodzy wobec innych dystrybucji?

Może nie zgadzają się z tą czy inną, naszą zasadą. Może nawet używają Gentoo, ale nie zgadzają się z tym, w jakim kierunku zmierza. No ale cóż, nie są sami na świecie. Staramy się najlepiej jak możemy, przy dostępnych nam środkach, dla wszystkich użytkowników Gentoo. Nie twierdzę, że zawsze mamy rację, ale wypadałoby mieć naprawdę dobry powód, żeby to wszystko tak po prostu negować.

Może wcale nie używają paczek Pythona z dystrybucji, może nienawidzą tej koncepcji samej w sobie i życzą sobie, by zrównano ją z ziemią, a każdy użytkownik brał paczki wprost z #PyPI, albo innego ekosystemu. No ale nie zgadniecie — są jednak ludzi, którym te nasze paczki pomagają, i którzy chcą ich używać. I są projekty, które nie są w stanie działać w innym ekosystemie, bo potrzebują lepszego zarządzania pakietami. A my jesteśmy tu właśnie dla nich.

No więc, spoko. Może nie używają dystrybucji, nad którą ja pracuję, ani nawet żadnych projektów, przy których pracuję. Może nie zgadzają się z żadnymi moimi pomysłami, może cała moja praca jest dla nich bez wartości. Może nigdy z niej nie skorzystają. Ani ich znajomi, rodziny, ani nikt, kto ich mógłby choć trochę obchodzić. Ale mimo to wszystko, wciąż jest wielu ludzi, którzy potrzebują naszej pracy — więc za kogo mają się ci właśnie autorzy, żeby pokazywać im wszystkim digitus impudicus?

Some days I'm so tired of upstream developers being so adverse to downstream maintainers. Like, it's not just the ungratefulness — it's like completely neglecting the tons of work we're putting into keeping things working. And they literally rely on our work (unless they're running their own distribution).

Yeah, sure, maybe you don't use #Gentoo. Maybe you use #Debian, or #Fedora, or #Arch, or their derivates, or some other independent distribution. Does that mean that Gentoo work is insignificant? What if the developers of your distribution are facing exactly the same problem? And even if they weren't, does that mean that upstreams using Gentoo should become adverse to the distribution you're using?

Yeah, sure, maybe you don't agree with one of our principles or another. Maybe you even are a Gentoo user, yet disagree with how Gentoo works. Well, even so, you're not the only Gentoo user out there. We're doing the best we can with what we have, and we're trying to make sure things work best for everyone in Gentoo. I'm not saying we're always right, but you really should have a good reason to despise all the work we've been doing.

Yeah, sure, maybe you don't use distribution #Python packaging at all, maybe you despise it entirely and wish it would all be burned down to the ground in favor of everyone using wheels from #PyPI, or whatever. But guess what — there are people who actually find it advantageous, and benefit from it, and want to use it. And there are projects that simply don't work in that ecosystem at all, and need a better package manager. And we're here, for them.

So, yeah, sure. Maybe you don't use the distribution I'm working on, nor any projects I'm working on. Maybe you disagree with me on every single principle, and don't see any purpose in any of my work. Maybe you will never use any of it. Maybe your friends or your family, or anyone you know or care about will even benefit from any of it. Still, there's a lot of people who do and who need this, and who are you to give them the digitus impudicus?

Researchers warn of a malicious campaign targeting #PyPI users with fake "time" utilities that steal sensitive data like #cloud access tokens. Two sets of packages, totaling 20, have been downloaded over 14,100 times, affecting major cloud services

https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html

#PyPI: 20 Malicious Python PyPI Packages Stole Cloud Tokens - Over 14,100 Downloads Before Removal:
#SoftwareSupplyChainSecurity

https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html

#Hackers are poisoning #PyPI again. Devs, check your dependencies NOW!

Cybercriminals planted 20 fake Python packages on PyPI—stealing cloud access tokens from AWS, Alibaba Cloud, and Tencent Cloud. These packages, disguised as "time" utilities, racked up 14,100+ downloads before removal.

One even snuck into a GitHub project with 519 stars and 42 forks.

https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html

Hey everyone, does this sound familiar? You install a Python package and suddenly feel like you've been robbed blind?

Right now, there's a nasty campaign going on targeting PyPI, and it's misusing "time" utilities to swipe cloud credentials. Get this – it's already had over 14,000 downloads! The malware hides in packages that are *supposed* to just check the time. But instead, they're snatching cloud keys (AWS, Azure, the works) and sending them straight to the bad guys.

Honestly, it reminds me of a pentest we did where we *almost* missed a similar camouflage trick. Seriously creepy! So, heads up: Double-check your dependencies, run those scans, review your cloud configurations, and above all, be suspicious! And hey, just a friendly reminder: automated scans are no substitute for a manual pentest!

Have you run into anything similar? What tools are you using to beef up your security? Let's chat about it!

uv users, what was going on in July-August 2024 that made you all download Wagtail 30x more than usual?! monthly downloads from uv jumped from 15k to 500k #Python #PyPI

#DeltaChat has #Android wheels on #PyPI now:
https://pypi.org/project/deltachat-rpc-server/

Репозиторій #PyPI запроваджує нові умови обслуговування для облікових записів. Відтепер з компаній, які розміщують свої проекти на PyPI, стягується плата в якості комісії та «за послуги підтримки».

Представник #Python Software Foundation І Дурбін пояснив, що нові умови для платних облікових записів поки перебувають в бета-версії.

Після завершення бета-тестування вартість платного акаунту PyPi становитиме $5 за користувача на місяць.

https://highload.tech/uk/najbilshyj-katalog-python-paketiv-pypi-zaprovadzhuye-platni-poslugy/

Un paquete malicioso de #PyPI roba las claves privadas de #Ethereum por medio de transacciones #RPC de #Polygon
https://blogs.masterhacks.net/noticias/criptomonedas/paquete-malicioso-de-pypi-roba-las-claves-privadas-de-ethereum-a-traves-de-transacciones-rpc-de-polygon/

#Ethereum private key stealer on #PyPI downloaded over 1,000 times

https://www.bleepingcomputer.com/news/security/ethereum-private-key-stealer-on-pypi-downloaded-over-1-000-times/

Okay folks, another shady situation just popped up on PyPI! This time, it's a Python package called 'set-utils' – sounds innocent enough, right? Wrong! It's actually a sneaky keylogger targeting your Ethereum keys! These guys are disguising themselves as helpful utilities, but behind the scenes, they're siphoning off your precious wallet info.

Here's the deal: Open source is awesome, no doubt. However, putting blind faith in everything? Not so much. You've gotta double-check your dependencies, seriously! It's always a good idea to use tools that can sniff out any suspicious behavior. And hey, automated scans are definitely a plus, but let's be real – nothing beats a proper pentest by a seasoned security pro.

I'm always saying it: security needs to be baked into the development process from the very beginning. And don't skimp on the budget! Trust me, you'll regret it later.

So, what are your go-to tools for spotting these kinds of attacks early on? Spill the beans!

Had the fun of upgrading #kivymd from 1.4 (latest #pypi version) to 2.0. Although there is no migration script the error messages while running #python suffice to understand the breaking changes and fix them.

Struggling through publishing my first self authored #python package to #pypi

My pyproject.toml fu is weak :) For now!

Status of old PyPI projects: archived

Since late January, the python package index (PyPI) supports archiving projects/packages. This is, in fact, a very welcome feature, since it clearly tells without any doubt when a package is no longer maintained and will not receive any further updates.

It makes it easier for the person looking for packages, to know which ones deserve a closer inspection and which ones are there abandoned, […]

https://blog.ovalerio.net/archives/3112