SecurityWeek

Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks

Over 100 NPM and PyPI packages were injected with malicious code in the Miasma and Hades Shai-Hulud supply chain attack ...
新浪网

Python第三方库PyPI现恶意木马风险 开发者务必注意安装

据Checkmarx披露,Python第三方库PyPI存在安全风险。该平台存在名为BlazeStealer的恶意木马,黑客今年1月至10月在PyPI平台上发布了8 ...
腾讯网

警惕!PyPI Python软件包存在多种恶意代码

近日,研究人员发现Python软件包索引(PyPI)中存在四个不同的流氓软件包,包括投放恶意软件,删除netstat工具以及操纵SSH authorized_keys文件。 存在问题的软件包分别是是aptx、bingchilling2、httops和tkint3rs,这些软件包在被删除之前总共被下载了约450次。其中aptx是 ...
Bleeping Computer

PyPI mandates 2FA for critical projects, developer pushes back

On Friday, the Python Package Index (PyPI), the official repository of third-party open-source Python projects announced plans to mandate two-factor authentication requirement for maintainers of ...
Dark Reading

'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud

Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, ...

New Shai-Hulud attack trojanizes 19 science-focused PyPI packages

Hackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud ...
The Hacker News

Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer

The Miasma supply chain campaign has sparked a fresh attack wave called Hades, this time involving 37 malicious wheel ...
新浪网

PyPI遭投毒!LiteLLM用户Python启动就中招,个人凭证秒泄露

最新上传的LiteLLM Python 版本1.82.7和1.82.8,已被人为恶意植入信息窃取程序。 一旦安装,SSH密钥、AWS凭证和API密钥等数据均会立即泄漏。 目前LiteLLM的维护者Krrish Dholakia,已经公开证实此事。 在恶意版本存在三小时后,PyPI迅速发现了这一漏洞,并将软件包隔离。
Dark Reading

Novel PyPI Malware Uses Compiled Python Bytecode to Evade Detection

In a new twist on software supply chain attacks, researchers have discovered a Python package hiding malware inside of compiled code, allowing it to evade ordinary detection measures. On April 17, ...