A malicious Python package named 'fabrice' has been present in the Python Package Index (PyPI) since 2021, stealing Amazon Web Services credentials from unsuspecting developers.

The malicious package downloads an image from the Web, then uses a steganography module to extract and execute the code to download malware.

Checkmarx, which recently also found a flaw in Amazon’s Ring camera system, is now warning Python developers that package downloading could lead to an increased risk of a supply chain attack.

Malicious Python packages found exfiltrating user data to Telegram bot Appears to be part of a wider operation by crime gang based in Iraq, say Checkmarx researchers ...

Several harmful Python .whl files containing a new type of malware called “Kekw” have been discovered on PyPI (Python Package Index). According to new data by Cyble Research and Intelligence Labs ...

Nir Cohen describes Wagon, which takes Python wheels, packages them together, adds metadata, and allows for offline extraction and installation.

All-in-one Python project management tool written in Rust aims to replace pip, venv, and more. Here's a first look.

Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems The PyPI "pymafka" package is the latest example of growing attacker interest in abusing widely used open ...

Researchers have discovered yet another set of malicious packages in PyPi, the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar ...