近年来，开源软件在现代软件开发中的基础性地位日益凸显。作为全球最广泛使用的编程语言之一，Python的包生态系统以Python Package Index（PyPI）为核心，承载了超过50万个公开项目和数百万开发者。然而，这一开放协作模式在提升开发效率的同时，也暴露出显著的安全隐患。2023年至2025年间，Python软件基金会（Python Software Foundation, PSF）多 ...

PyPI is popular among Python programmers for sharing and downloading code. Since anyone can contribute to the repository, malware – sometimes posing as legitimate, popular code libraries – can appear ...

今天，我在学习及实践使用 Python 虚拟环境时，下载相应库文件，直接使用 pip 下载，结果因下载速度过于实在太慢导致始终 ...

The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. Accessible at pypi.org, PyPI is the default ...

The Python Software Foundation warned users this week that threat actors are trying to steal their credentials in phishing attacks using a fake Python Package Index (PyPI) website. PyPI is a ...

Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn’t going away any ...

PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any ...

Security researchers have discovered a total of 3938 unique secrets on PyPI, the official third-party package management system for the Python community, across all projects, with 768 of them ...

The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. The two libraries ...

Researchers from Checkmarx have uncovered a sophisticated campaign in which attackers built credibility within the Python Package Index (PyPI) community to release crypto-draining, data-stealing ...