Why Use Trusted Publishing for PyPI?
Trusted publishing replaces long-lived PyPI API tokens with short-lived OIDC credentials, eliminating the most common way attackers gain unauthorized upload access to PyPI.
Defense in Depth: A Practical Guide to Python Supply Chain Security
bernat.techA comprehensive guide to securing your Python dependencies from ingestion to deployment, covering linting, pinning, vulnerability scanning, SBOMs, and attestations
LLM-Powered Copycats Are Flooding PyPI
A developer published his first PyPI package. Within hours, three AI-generated clones appeared. The pattern is spreading, and it's a supply chain risk.
LiteLLM Got Owned, and Your Dependencies Might Be Next
A supply chain attack hit litellm on PyPI, stealing credentials and deploying backdoors. Bernát Gábor's guide shows how to defend against exactly this kind of threat.
LLBBL Blog
Follow <a href="https://micro.blog/llbbl">@llbbl on Micro.blog</a>.
Scroll trīgintā quattuor
Arcane curation from the IndieWeb, Fediverse and Cybersecurity realms
Python and Rust Have the Same Supply Chain Problem as NPM
Last post I walked through the threat model for supply chain attacks and dug into the NPM ecosystem specifically: postinstall scripts, npm ci, pnpm’s release-age cooldown. The same structural problems exist in Python and Rust, but the failure modes are different and the tooling has evolved in some surprising directions. Worth understanding both, because if you write any backend code in 2026 you’re probably touching at least one of these ecosystems.