Backdoored Telnyx PyPI package pushes malware hidden in WAV audio TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file.

Backdoored #Telnyx #PyPI package pushes #malware hidden in #WAV #audio

www.bleepingcomputer.com/news/security/backdoored...

#cybersecurity

Alert: The Telnyx Python SDK on PyPI has been compromised in a major supply chain attack by TeamPCP. Developers, update immediately and rotate credentials! #CyberSecurity #SupplyChainAttack #PyPI Link: thedailytechfeed.com/telnyx-pypi-...

The LiteLLM Supply Chain Attack: How a Security Scanner Became a Backdoor On March 24, 2026, versions 1.82.7 and 1.82.8 of LiteLLM — with ~97 million monthly downloads — were found to contain a credential-stealing backdoor. Here's what happened, how it worked, and what you ...

The LiteLLM Supply Chain Attack: How a Security Scanner Became a Backdoor

techlife.blog/posts/litell...

#LiteLLM #SupplyChainAttack #PyPI #Security #Malware #Python #TeamPCP #AISecurity

OSSPREY

Ossprey has detected a new wave of #TeamPCP malware embedded in #telnyx versions 4.87.1 and 4.87.2 on #PyPI.

Full analysis is on our blog.

If telnyx is in your dependency tree, check your installed version now.

ossprey.com/blog/telnyx-...

#SupplyChainSecurity #PyPI #OpenSource #Malware #AppSec

Another supply chain attack hits home: LiteLLM was compromised by TeamPCP. Learn how a stolen token led to a massive infostealer deployment and what it means for your software.

thepixelspulse.com/posts/litellm-malware-at...

#litellm #teampcp #pypi

Popular LiteLLM PyPI package compromised in TeamPCP supply chain attack The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular "LiteLLM" Python package on PyPI and claiming to have stolen data from hundreds of thousands of devices during the attack.

Popular #LiteLLM #PyPI package backdoored to steal credentials, auth tokens

www.bleepingcomputer.com/news/security/popular-li...

#cybersecurity #TeamPCP

LiteLLM Python Library Poisoned — Do Not Update LiteLLM Python library poisoned in supply chain attack. Do not update. Critical secrets exposed. Security alert for AI developers.

LiteLLM Python library was poisoned via PyPI on March 24 — check if you have version 1.82.8 installed and rotate all credentials immediately
#LiteLLM #Python #PyPI
open.substack.com/pub/pythonli...

Supply chain attack hits litellm (95M downloads).
Backdoor runs on import + every Python startup.
Steals creds, spreads via Kubernetes, persists silently.
Same campaign hitting multiple ecosystems.
Dev tools = new attack surface?
Follow us for more updates.
#CyberSecurity #Infosec #OpenSource #PyPI

TeamPCP Backdoors LiteLLM via Trivy
Read More: buff.ly/9DwmFvk

#TeamPCP #LiteLLM #Trivy #PyPI #SupplyChainSecurity #KubernetesSecurity #CredentialTheft #DevSecOps

New supply chain attack hits LiteLLM with 95M monthly downloads A new supply chain attack has compromised LiteLLM on PyPI with credential-stealing malware in a library with 95 million monthly downloads.

A new supply chain attack has compromised #LiteLLM on #PyPI with credential-stealing #malware in a library with 95 million monthly downloads.

cyberinsider.com/new-supply-c...

#apisecurity #supplychain #python

LiteLLM PyPI Compromise: Thin Wrapper Steals Keys A single pip install of LiteLLM 1.82.8 was enough to run a credential stealer every time Python started, thanks to a hidden .pth file in the wheel. The litellm pypi compromise is not just “another PyPI malware story”, it’s a stress test of the idea that LLM wrappers are harmless glue. TL;DR LiteLLM 1.82.7 and 1.82.8 on PyPI were trojaned with a…

LiteLLM on PyPI was trojaned via a hidden .pth that stole credentials. Installed 1.82.7/1.82.8? Assume your keys are gone — audit now. #PyPI #SoftwareSupplyChain #Cybersecurity

[Security]: litellm PyPI package (v1.82.7 + v1.82.8) compromised — full timeline and status · Issue #24518 · BerriAI/litellm [LITELLM TEAM UPDATES] Compromised packages have been deleted (v1.82.7, v1.82.8) Compromise came from trivvy security scan dependency All maintainer accounts have been rotated (new maintainer accou...

github.com/BerriAI/lite... #litellm #security #pypi

LiteLLM's latest versions were compromised via its CEO's GitHub, unleashing infostealer malware. This isn't just another supply chain attack; it reveals deeper issues.

thepixelspulse.com/posts/litellm-supply-cha...

#litellm #pypi #teampcp

Original post on webpronews.com

The AI Tool You Just Downloaded Might Be Stealing Your Passwords: Inside the Infostealer Campaign Targeting Developers Kaspersky researchers uncovered malicious Python packages impersonating AI dev...

#AISecurityPro #AI #developer #tools #Claude #Code […]

[Original post on webpronews.com]

Half the ecosystem. Done.
180 of the top 360 PyPI packages now ship free-threaded wheels, a milestone the whole Python community helped reach.
The next 50% needs you. 🙌
See how to help in our latest blog by Nathan Goldbaum: buff.ly/GzMmtfy
#Python #PyPI #FreethreadedPython #Quansight

Dive into Recent Discoveries of PyPI Package Vulnerabilitie Recent research highlights serious vulnerabilities in Python Package Index (PyPI) packages, which can lead to keystroke theft and social media account hijacking

🌊🔍 Dive into recent discoveries of PyPI package vulnerabilities! Stay informed and secure your projects. Read more here: innovirtuoso.com/cybersecurity/a-deep-div... #Cybersecurity #Python #PyPI #Vulnerabilities

Original post on fediscience.org

This cannot be:

I am trying to compile a few stats for the #Snakemake executor plugin for #SLURM on #HPC systems. Preparing for a lighting talk at the #SnakemakeHackathon2026

PyPi: 20,000 downloads last month
BioConda: > 60,000 total (aggregated over all versions)

Impressive as it might be […]

Relative “Dependency Cooldowns” in pip v26.0 with crontab WARNING: Most of this blog post is a hack, everyone should probably just wait for relative dependency cooldowns to come to a future version of pip. pip v26.0 added support for th...

I got too excited about "set-and-forget" relative dependency cooldowns coming to #pip that I hacked them together using cron and a script that calculates uploaded-prior-to in pip.conf 👀

sethmlarson.dev/pip-relative...

#python #pypi #dependencycooldowns #security

Huge thanks to @fastly.com for 10+ years of keeping #PyPI up and running! PyPI serves 800K+ users at ~100K requests/sec. With a small team behind the service, that kind of scale is only possible because of infrastructure partners who invest in the sustainability of the #Python ecosystem.

GitHub - stevencarpenter/nuv: Opinionated bootstrap tool for rapid cli tool generation in Python, with UV. Other bootstrap features seem worth investigating once I'm happy with the cli bootstrap. Idea... Opinionated bootstrap tool for rapid cli tool generation in Python, with UV. Other bootstrap features seem worth investigating once I'm happy with the cli bootstrap. Ideally you are adding this...

I did an open source. Meet nuv github.com/stevencarpen.... I often like spinning small, utility cli tools. Sometimes they are for a larger project's administration, or just a one off thing. Now I can spin a new UV project with one command and it comes with the basic cli setup I like. #foss #pypi #uv

GitHub - irods/irods_client_http_python Contribute to irods/irods_client_http_python development by creating an account on GitHub.

The new iRODS HTTP API Python Wrapper Library v0.1.0 is released!

github.com/irods/irods_...

Via PyPI:
pip install irods-http

#python #irods #http #pypi

The Underfunded Gatekeepers: How Open-Source Registries Became Critical Infrastructure Without the Budget to Match Open-source package registries like npm and PyPI distribute billions of software p...

#CybersecurityUpdate #npm #open-source #funding […]

[Original post on webpronews.com]

Original post on mastodon.social

Wow, I've just learned that GStreamer is now publishing bundles including all dependencies for Python on PyPI:

https://pypi.org/project/gstreamer-bundle/
gitlab.freedesktop.org/gstreamer/gstreamer/-/is...

Unfortunately, not yet for GNU/Linux (understandable seeing the complexity […]

Humpf. Was on a good roll this evening, just updated BlogMore again, and while I can see the latest version (0.6.0) on PyPI nothing seems to want to convince uv that there's anything later than 0.5.0. 🙃

#Python #PyPI

Client Challenge

Hi there👋 I've publicated my onlyone #python app on #PyPI

If you need a tool to find and move to trash #duplicates of your files, feel free to use it and write me a feedback.

Here is link to #onlyone on pypi:
pypi.org/project/only...

It requires python >= 3.9
It has both cli and gui
thanks

Original post on social.tsun.co

Maybe not worth it for #pypi to implement, but I wonder if there are any projects that look at #python packages, and map the connection between projects and entrypoints. For example, if my project loads an `example.foo` entrypoint, then how would I search all projects that implement an ` […]

📰 Perekrut Palsu Sembunyikan Malware dalam Tes Coding untuk Developer Kripto

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/02/15/fake-recruite...

#cryptocurrency #cybersecurity #lazarus #group #malware #npm #pypi #supply #chain #attack

Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems non-malicious version and prior to the release read more about Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems

Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems reconbee.com/lazarus-camp...

#Lazarus #Lazaruscampaign #malicious #packages #PyPI #npm #cybersecurity #cyberattack

Original post on helpnetsecurity.com

OpenClaw Scanner: Open-source tool detects autonomous AI agents A new free, open source tool is available to help organizations detect where autonomous AI agents are operating across corporate envi...

#Don't #miss #News #agentic #AI #Astrix #Security […]

[Original post on helpnetsecurity.com]

Dive into Recent Discoveries of PyPI Package Vulnerabilitie Recent research highlights serious vulnerabilities in Python Package Index (PyPI) packages, which can lead to keystroke theft and social media account hijacking

🌊🔍 Dive into recent discoveries of PyPI package vulnerabilities! Stay informed and secure your projects. Read more here: innovirtuoso.com/cybersecurity/a-deep-div... #Cybersecurity #Python #PyPI #Vulnerabilities