随后，LiteLLM的CI/CD在构建过程中接触到了被污染的Trivy，并让攻击者窃取到了维护者的PyPI凭证。利用该凭证，攻击者先后发布恶意版本LiteLLM 1.82.7和LiteLLM 1.82.8。

An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive ...

今天，我在学习及实践使用 Python 虚拟环境时，下载相应库文件，直接使用 pip 下载，结果因下载速度过于实在太慢导致始终 ...

Malicious Lightning 2.6.2/2.6.3 released April 30 enable credential theft via hidden payload, leading to PyPI quarantine and ...

监测发现，近期AI模型部署工具Xinference遭供应链投毒攻击。攻击者向Python官方软件包仓库PyPI（Python Package Index）上传了包含恶意代码的Xinference软件包，用户安装受影响的软件包或者在代码文件中引入Xinference时，恶意代码将自动执行。攻击者可窃取云平台凭据、API密钥、数据库密码、加密货币钱包和 环境变量 ...

近日，研究人员发现Python软件包索引（PyPI）中存在四个不同的流氓软件包，包括投放恶意软件，删除netstat工具以及操纵SSH authorized_keys文件。 存在问题的软件包分别是是aptx、bingchilling2、httops和tkint3rs，这些软件包在被删除之前总共被下载了约450次。其中aptx是 ...

The scanners tasked with weeding out malicious contributions to packages distributed via the popular open source code repository Python Package Index (PyPI) create a significant number of false alerts ...

In a new twist on software supply chain attacks, researchers have discovered a Python package hiding malware inside of compiled code, allowing it to evade ordinary detection measures. On April 17, ...

Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers' projects. One of them, using ...