Goal is to steal Tea tokens by inflating package downloads, possibly for profit when the system can be monetized.

Cybersecurity researchers have found harmful software in the official Python Package Index (PyPI) and npm package repositories, putting software supply chains at risk. The packages, called termncolor ...

“Chimera-sandbox-extensions” exploit highlights rising risks of open-source package abuse, prompting calls for stricter dependency controls and DGA malware detection. A malicious Python package posing ...

A new campaign exploiting machine learning (ML) models via the Python Package Index (PyPI) has been observed by cybersecurity researchers. ReversingLabs said threat actors are using the Pickle file ...

Researchers have found malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that's probably not the only ...

The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security.

When attackers compromised Ultralytics YOLO, a popular real-time object detection machine-learning package for Python, most assumed the Python Package Index, or PyPI, must be the point of failure.

Users of popular cryptocurrency wallets have been targeted in a supply chain attack involving Python packages relying on malicious dependencies to steal sensitive information, Checkmarx warns. As part ...

Researchers have come across a rather odd Python code package online that aims to steal Google Cloud Platform credentials from a very limited set of macOS victims. The package, "lr-utils-lib," was ...

The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign. PyPI said "new ...