随后，LiteLLM的CI/CD在构建过程中接触到了被污染的Trivy，并让攻击者窃取到了维护者的PyPI凭证。利用该凭证，攻击者先后发布恶意版本LiteLLM 1.82.7和LiteLLM 1.82.8。

In a new twist on software supply chain attacks, researchers have discovered a Python package hiding malware inside of compiled code, allowing it to evade ordinary detection measures. On April 17, ...

近日，研究人员发现Python软件包索引（PyPI）中存在四个不同的流氓软件包，包括投放恶意软件，删除netstat工具以及操纵SSH authorized_keys文件。 存在问题的软件包分别是是aptx、bingchilling2、httops和tkint3rs，这些软件包在被删除之前总共被下载了约450次。其中aptx是 ...

Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by ...

The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. Accessible at pypi.org, PyPI is the default ...

A security firm found three malicious Python libraries uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on ...

The PyPI package flood is just the latest in a string of attacks on public repositories with the intent to plant malicious code. Over the weekend an attacker has been uploading thousands of malicious ...

Spammers have inundated the Python Package Index (PyPI) portal and the GitLab source code hosting website with garbage content, flooding both with ads for shady sites and services. The attacks were ...