Lightning Got Owned: When `import lightning` Steals Your Credentials
Malicious lightning PyPI versions 2.6.2 and 2.6.3 shipped a daemon-thread payload that runs on import, steals credentials, and worms into npm.
Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance - The Python Package Index Blog
blog.pypi.orgPython Package Index shares insights and provides guidance following LiteLLM/Telnyx supply-chain attacks
Newsletter #013: Large Phishing Operations Against Maintainers 🎯
A coordinated phishing campaign is targeting high-impact open source maintainers. Plus: Scorecard v6 evolving into a security evidence engine, 12 CVEs patched across undici, fastify, path-to-regexp and lodash, and a conversation about Node.js in production.
pip v26.1 adds support for relative dependency cooldowns
My work as the Security Developer-in-Residence at the Python Software Foundation is sponsored by Alpha-Omega. Thanks to Alpha-Omega for supporting security in the Python ecosystem. I pub...