@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.
I started working on the next iteration of #image2sound which was inspired by the idea that sculptors simply reveal what is hidden within the stone. What if the image itself determines the key, the tempo, etc. rather than the user passing arguments to the utility?
To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!
I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile reproducibility is now broken for those packages.
tbqh, I'm contemplating an RFC to stop using package sources from #PyPi, as dealing with sdist tarballs there was often an uphill battle already to begin with (e.g. due to missing files, missing tests, etc.).
In a way removing the signatures was the last straw that broke the camel's back (for me at least). And yes, removing the files instead of just stopping to allow uploading them was not a good idea.
@dvzrv Another approach would have been for #PyPI to strengthen the infrastructure: associate accounts with OpenPGP keys, require and enforce a per-package list of authorized upload signing keys, keep a transparency log of authorized key changes, distribute per-package keyrings, etc.
It’s nothing fancy, ftp.gnu.org does some of that.
The #PSF has received funding for Malware Detection on #PyPI from #CSET! This will mean getting closer to near-instant takedowns of malware on PyPI without needing to infinitely scale up manual triaging of reports all while remaining open! 🎉
"@ThePSF has received funding from the Center for Security and Emerging Technology (CSET) to develop and improve the infrastructure for malware detection on PyPI. This project will be executed over the coming year."
"If you or your colleagues are currently performing malware analysis of PyPI uploads, we would love to hear from you at":
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #22/2023 is out! It includes, but not only:
➝ 🇺🇸 🪖 Air Force denies running simulation where AI drone “killed” its operator
➝ 🇺🇸 🏂 #Burton Snowboards discloses #databreach after February attack
➝ 🇺🇸 🧪 Enzo Biochem #Ransomware Attack Exposes Information of 2.5M Individuals
➝ 🧠 🤖 Introducing Charlotte AI, #CrowdStrike’s Generative AI Security Analyst
➝ 🐍 🦠 Malicious #PyPI Packages Using Compiled #Python Code to Bypass Detection
➝ 🇰🇵 🎠 N. Korean ScarCruft Hackers Exploit LNK Files to Spread #RokRAT
➝ 🦠 📱 New Zero-Click Hack Targets #iOS Users with Stealthy Root-Privilege #Malware
➝ 🇷🇺 🇺🇸 #Russia says U.S. accessed thousands of #Apple phones in spy plot
➝ 🇯🇵 🚗 #Toyota Discloses New Data Breach Involving Vehicle, Customer Information
➝ ☁️ 👻 Organizations Warned of #Salesforce ‘Ghost Sites’ Exposing Sensitive Information
➝ 🔐 👀 #Amazon faces $30 million fine over Ring, Alexa #privacy violations
➝ 🔐 🧱 Active Mirai Botnet Variant Exploiting #Zyxel Devices for #DDoS Attacks
➝ 🇷🇺 🇺🇦 Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access
➝ 🦠 🤖 #Spyware Found in #GooglePlay Apps With Over 420 Million Downloads
➝ 🦠 🚪 #RomCom malware spread via Google Ads for #ChatGPT, GIMP, more
➝ 👛 Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign
➝ 🍏 #Microsoft finds #macOS bug that lets hackers bypass SIP root restrictions
➝ 🦠 🚪 #Barracuda zero-day abused since 2022 to drop new malware, steal data
➝ 🇬🇷 Worst cyberattack in #Greece disrupts high school exams, causes political spat
➝ 🇮🇳 🎠 Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian #Android Users
➝ 🇺🇸 U.S. Department of Defense releases 2023 Cyber Strategy
➝ 📱☝🏻 New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force
➝ 🇯🇵 🎠 New GobRAT Remote Access #Trojan Targeting #Linux Routers in #Japan
➝ 🦠 📂 Clever ‘File Archiver In The Browser’ phishing trick uses #ZIP domains
📚 This week's recommended reading is: "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks" by Scott J. Shapiro
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️
If your package is hosted on GitHub, I highly recommend checking out Trusted Publishers instead of API tokens. You can find official documentation on how to use Trusted Publishers with PyPI here:
🐍 Subpoenaed PyPI says bye-bye to as much IP address data as it can
➥ The Register
"data minimization may prevent organizations from becoming a preferred source of on-demand surveillance: having excessive amounts of information about users invites legal demands, which staff then have to handle."
#Python#PyPI#DataProtection#Surveillance#Privacy#Programming: "PyPI, the Python Package Index, began evaluating ways to reduce the amount of identifying information that it stores even before the US Justice Department came asking for data on suspect users.
But now that the code repository has disclosed receiving three subpoenas for data on five users earlier this year, the Python community package registry wants developers to understand that it's working to minimize the user data that it stores.
The goal is not to be unable to respond to lawful requests for information; rather it's to store only the minimum amount of data necessary so as not to expose users to unnecessary privacy intrusion."
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #21/2023 is out! It includes, but not only:
‣ 🇬🇧 🇺🇸 #NHS data breach: trusts shared patient details with #Facebook without consent
‣ ☁️ Severe Flaw in #Google Cloud's Cloud #SQL Service Exposed Confidential Data
‣ 🇨🇭 💰 US govt contractor #ABB confirms #ransomware attack, data theft
‣ 🦠 🤖 #Predator: Looking under the hood of Intellexa’s #Android spyware
‣ 🇦🇿 🇦🇲 Hacking in a war zone: #Pegasus#spyware in the Azerbaijan-Armenia conflict
‣ 🦠 🎮 Dark Frost #Botnet Launches Devastating #DDoS Attacks on Gaming Industry
‣ 🇷🇺 🦠 Mysterious #malware designed to cripple industrial systems linked to #Russia
‣ 🇧🇷 🇵🇹 ‘Operation Magalenha’ targets credentials of 30 Portuguese #banks
‣ 🩹 #GitLab 'strongly recommends' patching max severity flaw ASAP
‣ 🇮🇷 🇮🇱 Iranian hackers use new #Moneybird ransomware to attack Israeli orgs
‣ 🇺🇦 Cyber Attacks Strike #Ukraine's State Bodies in Espionage Operation
‣ 🇨🇳 🇺🇸 Chinese state hackers infect critical infrastructure throughout the US and Guam
‣ 🐍 👨🏻⚖️ #PyPI was subpoenaed
‣ 🇰🇵 🦠 N. Korean #Lazarus Group Targets #Microsoft IIS Servers to Deploy Espionage Malware
‣ 🦠 🤖 Data Stealing Malware Discovered in Popular Android Screen Recorder App
‣ 🇩🇪 Arms maker Rheinmetall confirms #BlackBasta ransomware attack
‣ 🦠 New ‘GoldenJackal’ APT Targets Middle East, South Asia Governments
‣ 🇺🇸 🇰🇵 Treasury Department sanctions entities tied to North Korean IT scams, hacking
‣ 🇺🇸 📰 Cuba ransomware claims #cyberattack on Philadelphia Inquirer
‣ 🇺🇸 🏥 After ransomware attack, state’s second-largest health insurer says patient data stolen
‣ 🇯🇵 🇮🇳 🏍️ #Suzuki motorcycle plant shut down by cyber attack
‣ 🇺🇸 🪖 #Pentagon explosion hoax goes viral after verified #Twitter accounts push
‣ 🇺🇸 🇪🇺 #Meta Fined Record $1.3 Billion and Ordered to Stop Sending European User Data to US
‣ 🦠 🎬 Cloned #CapCut websites push information stealing malware
‣ 🇰🇷 🇺🇸 Warning: #Samsung Devices Under Attack! New Security Flaw Exposed
‣ 🍏 #Apple fixes three new zero-days exploited to hack iPhones, Macs