Listen to PyPI - Hear the Python Package Index in real-time Every PyPI package release becomes a sound and a glowing circle. An ambient soundscape driven by real-time Python community activity, by miketheman.

I made a thing, a soundscape based on #PyPI package data feed updates 🎶🐍📦🎶

Maybe you'll enjoy it too?
miketheman.github.io/listen-to-py...

It's still awesome to me that I get to work on some really hard problems for the common good. This was a lot of work, hope you enjoy the read!

I've seen it all now.

AI writes code, submits PR.
AI reads PR, detects AI-written code, rejects it.
AI rewrites code to avoid detection by AI.
/loop

I can't help but wonder when we all burn up in a fiery blaze of greenhouse gases, will the AI-of-then harvest the energy and continue?

Standing on the shoulders of Homebrew Rewriting the easy parts of Homebrew.

Standing on the shoulders of Homebrew: nesbitt.io/2026/04/14/s...

Screenshot of a Python terminal REPL with the text: NameError: name 'base64' is not defined. Did you forget to import 'base64'?

Any time I see something like this in a #Python REPL, I can't help but smile for two reasons:

1. Yes, yes I did forget. 🙈
2. I know some of the folks who worked so hard to make that message do exactly what I want it to do. Thanks to @pablogsal.com, @lukasz.langa.pl, and so many others!

#OpenSource

Book in the official #PyCon2026 hotel block and get a mystery swag item.

We can't tell you what it is.

(That's why it's called mystery swag.)

Only way to get it is to book in the block.

us.pycon.org/2026/venue/hotels/

#Python

"I'm a speaker at PyCon US 2026" image, Mike Fiedler, Anatomy of a Phishing Campaign, with a profile photo of Mike in referee stripes

I'll be speaking at @pycon.us 2026!

Come on out to Long Beach California for an excellent #Python community event, and maybe listen to me talk about #OpenSource #SupplyChain #Security from #PyPI perspective

us.pycon.org/2026/schedul...

Gotta sleep sometimes

BSkyCheck - Real-Time Bluesky Analytics & User Tools Track Bluesky growth as it happens with our real-time dashboard. See live user sign-ups, monitor current growth rate, and explore verified domain handles across government, education, commercial and o...

I found bskycheck.com to be a little helpful

What does Open Source mean? A stack of incompatible expectations.

What does Open Source mean? nesbitt.io/2026/04/04/w...

Yes, Clickhouse is very cool to provide this interface.

Reminder: these metadata do not get updated with removals from spam accounts or otherwise, the BigQuery dataset that feeds this is basically append only

Post Mortem: axios npm supply chain compromise · Issue #10636 · axios/axios Post Mortem: axios npm supply chain compromise Date: March 31, 2026 Author: Jason Saayman Status: Remediation in progress On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were...

This is scary as hell. Be safe out there, folks. github.com/axios/axios/...

Aww. We tried! But hit a pretty bad regression github.com/pypi/warehou...

I _think_ this is the culprit? github.com/python/cpyth...

There is a ton in this report, like how @pypi.org is able to respond so quickly to malware thanks to our network of trusted reporters and how to keep yourself secure both as a maintainer and user of Python packages.

Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance - The Python Package Index Blog Python Package Index shares insights and provides guidance following LiteLLM/Telnyx supply-chain attacks

PSF Security developers have published incident reports on the LiteLLM & Telnyx #supplychain attacks. Read what happened, who's affected, and what developers & maintainers can do to prepare and protect themselves from future incidents. #security #python

Many thanks to @sethmlarson.dev and @miketheman.com for their ongoing work on securing the Python infrastructure.

I Decompiled the White House's New App The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.

Totally fine and normal 🔥

I fondly recall when I associated "SCA" with the Society for Creative Anachronism.

Sadly, nowadays it's Supply Chain Attack.

I'm starting to think that I only want to accept reports that have a properly written test case in the format of the project that exposes the problem. So even if there's no fix provided, at least the reporter took the time to ensure the maintainer can confirm their report

Expose PEP 740 attestations functionality by woodruffw · Pull Request #236 · pypa/gh-action-pypi-publish WIP, still experimenting here. Not ready for review 🙂 This adds PEP 740 attestation generation to the workflow: when the Trusted Publishing flow is used, this will generate a publish attestation fo...

I suspect this was placed there before the GitHub Action incorporated sigstore signing on its own, and is now redundant
github.com/pypa/gh-acti...

You got this. 🤿

Agreed, however I suspect that many communities are overstretched, and this being a company-backed tool makes me wonder how folks pick and choose what to work on in their open source time

Wish I was there! Have a blast

@atls.city !set US-NY-NewYorkCity

Package Manager Mirroring Every mirroring tool I could find, and the protocols underneath them.

Nerd sniped again, this time by @miketheman.com, into looking at how various package managers do mirroring: nesbitt.io/2026/03/20/p...

Sorry to hear this news. Here's to hoping you're okay and can take a breather

For those unfamiliar, this kind of funding is what makes my role currently possible. Thanks to all the donors, and keep of the good work!

Trailblazing Python Security PyCon US 2026

Very excited for @pycon.us - there's an entire #Security focused track chaired by @juanitagomezr.bsky.social & @sethmlarson.dev

Come on out to Long Beach, CA in May, listen to me talk about @pypi.org #SupplyChain

Check it out here: us.pycon.org/2026/tracks/...

#Python #PyCon #PyConUS #OpenSource