PyPI 警告:Python 开发者面临新型密码窃取网络钓鱼攻击,呼吁加强 ...

Python 软件包索引(Python Package Index, PyPI)发出警告,指出针对 Python 开发者的网络钓鱼攻击将持续存在,攻击者利用虚假域名和紧急邮件策略诱骗用户。受害者被诱导通过拼写错误的域名(如 pypi-mirror.org)验证账户。PyPI 敦促用户和维护者采用防网络钓鱼的双因素认证(2FA)和具备域名识别功能的密码管理器,以应对日益严峻的安全威胁。

New string of phishing attacks targets Python developers

If you recently got an email asking you to verify your credentials to a PyPI site, better change that password ...
SecurityWeek

PyPI Warns Users of Fresh Phishing Campaign

PyPI, the default platform for Python's package management tools, is warning users of a fresh phishing campaign.

PyPI invalidates tokens stolen in GhostAction supply chain attack

The Python Software Foundation team has invalidated all PyPI tokens stolen in the GhostAction supply chain attack in early ...
Bleeping Computer

PyPi python packages caught sending stolen AWS keys to unsecured sites

Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by ...
The Hacker News

SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers

Zscaler reveals SilentSync remote access trojan hidden in two malicious PyPI Python packages, risking browser data theft and multi-OS compromise.
腾讯网

Java、Python等开源组织联合声明:大企业应为开源基础设施付费

IT之家 9 月 24 日消息,开源安全基金会(OpenSSF)昨天发布声明,直言“开源基础设施并非免费”,并警告现代软件开发背后的关键基础设施正被推向崩溃边缘。这份声明由八个组织共同签署,包括 ...
Infosecurity Magazine

Chinese AI Villager Pen Testing Tool Hits 11,000 PyPI Downloads

AI-native Villager, which automates Kali and DeepSeek penetration tests, has reached 11,000 PyPI downloads fueling dual-use ...
ZDNet

Malicious Python libraries targeting Linux servers removed from PyPI

A security firm found three malicious Python libraries uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on ...