dubbel, 12 days ago to python

Reported 5 malicious #Python packages to #PyPI: numberpy, tqmmd, pandans, openpyexl, reqwestss all by the same user leemay1782.

All with the same "functionality", getting commands via a socket from dzgi0h7on1jhzdg0vknw9pp9309rxjl8.oastify[.]com and executing it.
I don't think I saw the setup.py entry_points being used as a trigger mechanism before?

#ThreatIntel #CTI #malware

sjvn, 12 days ago to security

Malicious #PyPI Package 'Pytoileur' Targets Windows and Leverages Stack Overflow for Distribution - Security Boulevard https://securityboulevard.com/2024/05/malicious-pypi-package-pytoileur-targets-windows-and-leverages-stack-overflow-for-distribution/ by @sjvn

This latest poisoned Python code used Slack Overflow to advertise itself. Happy, Happy, Joy, Joy! #security

fohrloop, 17 days ago to python

Can sigtore signatures be uploaded to PyPI, and is there / would there be any use for them?

I was reading through https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ and noticed the .sigstore files were only uploaded to GitHub Releases.

#python #pypi #pythonpackaging #sigstore

SpeechToTextCloud, 19 days ago to python

Search vulnerabilities in Python packages:

$ curl -sX POST -d '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' 'https://api.osv.dev/v1/query' | jq '.vulns[].summary | select( . != null )'

=== Begin ===
"Jinja2 sandbox escape via string formatting"
"Incorrect Privilege Assignment in Jinja2"
"Insecure Temporary File in Jinja2"
"Regular Expression Denial of Service (ReDoS) in Jinja2"
"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
"High severity vulnerability that affects Jinja2"
=== End ===

Useful jq query strings:
summary, details, aliases

#CVE #PyPI #Python #vulnerability

miketheman, 21 days ago to python

Well, another #PyConUS is done (for me - #Sprints continue for another couple of days!)

It was excellent catching up with old friends and meeting tons of new ones. Pittsburgh was definitely a super cool vibe, 2025 should be fun too.

I'm looking forward to recharging my depleted physical batteries, so I can jump into all the important work we have ahead of us to continue to support this amazing community.

See you online somewhere!!

#Python #PyCon #PyConUS2024 #PyPI #Pittsburgh #Pwords

mistersql, 26 days ago to random

#pyconus #pypi has gotten so much better security-wise over the last year. Trusted Publisher is the best

https://docs.pypi.org/trusted-publishers/

nobodyinperson, 1 month ago to python

I think I have finally™️ (for the third or so time) found myself a solution for :python: #Python development on :nixos: #NixOS that allows me to just work with #pythonPoetry et. al. as on other distros.

The solution is to pre-build an FHSUserEnv in your configuration.nix, e.g. like this¹.

When starting Python dev work, I now execute fhs (it's fast!), or directly fhs -c 'poetry shell' and everything works as expected, including #PyPI wheels etc.

¹https://gitlab.com/nobodyinperson/nixconfig/-/blob/main/fhs.nix?ref_type=heads

cc @publicvoit

pypi, 1 month ago to python

PyPI package maintainers can now publish via Trusted Publishing from three additional providers:

• GitLab
• Google Cloud
• ActiveState

They join GitHub Actions to support publishing without long-lived passwords or API tokens.

#pypi #python
https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/

hugovk, 1 month ago to python

I have a little site that shows the most downloaded packages from PyPI, updated monthly:

https://hugovk.github.io/top-pypi-packages/

Inspired by this, Vladimir Iglovikov has made a nice leaderboard showing the change from last month:

https://pypilb.vercel.app

#Python #PyPI #downloads #TopPyPIPackages

mistersql, 1 month ago to random

#pypi should have a filter for project size. When the readme is longer than the code, it is a sign that maybe

• it shouldn't be a library (vendorize those 10 lines of code)
• it is an outline for an idea of a gist, not a library or app

I mean this is clever, but it is a long way from, say Moodle,

https://github.com/BrokenShell/MultiChoice/blob/master/MultiChoice.py

(I'm picking on pypi's search functions, not this dev. If I wanted a gist for a prompt like prompt toolkit, this would be perfect)

ucodery, 1 month ago to python

Very cool to see some of the hard work we’ve been doing at #ActiveState for #Python packaging with #PyPI Trusted Publishing being made available to everyone today

https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/

davep, 1 month ago to python

I’ve released PISpy v0.6.0; a tool for looking up details of #Python packages in PyPI, all done in the #terminal: https://blog.davep.org/2024/04/17/pispy-0-6-0.html

#Textual #Programming #Packaging #PyPI

hugovk, 2 months ago to python

🥚🐰🛞🐍 Exciting!

I'm doing the first @pillow release using cibuildwheel + PyPI publish GitHub Action + Trusted Publishers!

It'll take just under three hours to build 68 wheels and an sdist, and then upload them automatically to @pypi 🤞

The matrix covers CPython 3.8-3.12, PyPy 3.9-3.10, manylinux, musllinux, macOS Intel + Apple Silicon, Windows 32-bit + 64-bit + ARM...

Follow along the Easter fun at https://github.com/python-pillow/Pillow/actions/runs/8506382482 !

#Python #Pillow #PythonPillow #PyPI #TrustedPublishers #cibuildwheel

sethmlarson, 2 months ago (edited 2 months ago) to python

xz/liblzma backdoor (CVE-2024-3094) is trending.

https://openwall.com/lists/oss-security/2024/03/29/4

#Python bundles xz v5.2.5 and earlier which don't contain the backdoored binary files. #PyPI is also not affected due to using Debian Bookworm, not Sid.

Querying PyPI packages and Python Dockerhub images doesn't show any xz 5.6.x binaries.

From what I've gathered from others, the backdoor appears to target sshd (SSH server) on glibc-based distros, so if you're using Ubuntu or Fedora check that you aren't affected.

dubbel, 2 months ago to python

Reported 15 malicious #PyPI packages: asyncioo, asyyncio, asyincio, aasyncio, etc...

On install they decrypt Fernet encrypted code, which loads further code from https://funcaptcha[.]ru/paste2?package=asyncioo (replace the parameter with the package name).

I was blocked from accessing that code (am on mobile right now, so I don't have the means to investigate for real, Fernet decryption was already fun :abloblamp: ).

Anyone else able to access it?

#IOC #threatIntel #python

ThePSF, 2 months ago to python

The PSF is looking for a PyPI Support Specialist to join the team! This is a remote position with 2-4 hours/week overlap with US Eastern/Central work hours. Please share this posting with your colleagues and networks. #python #pypi https://pythonsoftwarefoundation.applytojob.com/apply/nyYHuOha9h/PyPI-Support-Specialist
https://pythonsoftwarefoundation.applytojob.com/apply/nyYHuOha9h/PyPI-Support-Specialist

ThePSF, 2 months ago to python

On this #PiDay, we want to remind you that our love for #python is infinite! Give the unique and unrepeatable love of Python* to yourself or a friend 💙💛 grab the @nostarch Humble Bundle today!

• Pairs well with pie 🥧, pizza 🍕, and #pypi 🐍
  https://www.humblebundle.com/books/learn-you-some-code-no-starch-books

pypi, 3 months ago to random

PyPI now has an improved way to report #malware, via #PyPI itself! Available on web and preview beta API. Learn more and sign up to help test:

https://blog.pypi.org/posts/2024-03-06-malware-reporting-evolved/

mistersql, 3 months ago to python

#pypi #python - Did someone already write a tool to front run safety or pip-audit before anything is installed? I guess something like "poetry lock" and then audit the files for suspicious situations, like CVEs or the repo was created yesterday or the package was published yesterday.

Installing everything then running safety imho has always been !@#$!@$ stupid because the malicious code runs during install.

pypi, 3 months ago to python

Looking back at 2023 @miketheman uncovered some impressive metrics that we want to share! A big thanks to Fastly- And also @awsopen for making Mike’s job possible! #thankyou #PyPI #python

ketmorco, 4 months ago to streaming

Hey friends! After a long hiatus, I'm starting #streaming again - as mentioned in an earlier post, I'm going to be figuring out how to create #apt / #yum repos. I've done some very simple #pypi in the past, and may do some work on that, too. We'll see what we can get done in the time I'll be spending.

https://www.twitch.tv/wayneswonderarium

#WaynesWonderarium (boosts welcome)

DanielJDufour, 4 months ago to python

Are there any examples of governments (federal, state or local) that have requested an org on #pypi ?

#python #civictech

mistersql, 4 months ago to python

When someone republishes an identical (?) copy of a major package under their own name on #pypi, that's probably malicious right? This is a variation on typosquatting.

#python

https://pypi.org/user/LukeSamkharadze/

venthur, 4 months ago to python

Inspired by @fcodvpt post about current popularity of build backends, I investigated how the popularity of build backends used in pyproject.toml evolved over time since PEP-0517 introduced them in 2015:

https://venthur.de/2024-01-26-build-backends.html

#python, #pypi

image/png

wnd, 4 months ago to python

For those interested in such things I have had a go at writing a #python module "parenx" ("pare" + "nx") that simplifies linear networks, such as road and rail, using buffering and either image skeletonization or Voronoi polygons to identify a centre-line

As it is on #PyPi so it is available via #pip

It is beta-code and has a number of limitations but hopefully it might be of interest. Noting that two-dimension areal interpolation problem seems well understood

https://github.com/anisotropi4/parenx