Just published version 1.16.6 of The Pdfalyzer, the surprisingly popular tool for analyzing (possibly malicious) PDFs I created after my own unpleasant encounter with such a creature. Includes a (kind of janky) #YARA rule for #GIFTEDCROOK infostealer PDFs.
* Github: https://github.com/michelcrypt4d4mus/pdfalyzer
* Pypi: https://pypi.org/project/pdfalyzer/
* Homebrew: https://formulae.brew.sh/formula/pdfalyzer
PyPI Malware Exploits Instagram Growth Tools to Harvest Credentials
Pulse ID: 68496f698c9d93ca338f0790
Pulse Link: https://otx.alienvault.com/pulse/68496f698c9d93ca338f0790
Pulse Author: cryptocti
Created: 2025-06-11 11:58:33
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#NPM: New Supply Chain #Malware Hits NPM and #PyPI Package Ecosystems. #ReactNative-Aria & #GlueStack packages with cumulative 1mln+ weekly downloads backdoored overnight - check your dependencies!
#SoftwareSupplyChainSecurity
https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html
New reason not to use #PythonPoetry just dropped: they reinvented "reproducible builds", poorly. The problem is, they missed the purpose of reproducible builds entirely and they use it for source distributions too, and when you don't use SOURCE_DATE_EPOCH, they force all files to epoch (as in timestamp 0) instead of leaving them alone.
Like, all source distributions created by Poetry and uploaded to #PyPI now have 1970 timestamps that, simply speaking, break stuff. The most absurd thing is that ZIP can't handle that timestamp, so they override it and use another date for wheels 
.
You want to use a #StaticSiteGenerator and need to support #multilingual sites? It’s now easier than ever! For quite a while, #Pelican had a great plugin for that use case. Now I helped migrate it to the new plugin format, which means that it can easily be installed from #PyPI. https://github.com/pelican-plugins/i18n-subsites #MultilingualDH #MinimalComputing
There is now a #gitAnnex package on #PyPi: https://pypi.org/project/git-annex/
This should make it simpler to deploy git-annex in Python virtual environments, also as versioned dependencies for software like #Datalad
Packages are built for Linux, Windows, and Mac via GitHub actions: https://github.com/psychoinformatics-de/git-annex-wheel/
Contributions to cover more platforms are most welcome!
Hackers are hiding malware inside AI/ML models on PyPI, targeting #AlibabaAILabs users. Malicious packages dropped infostealers through infected Pickle files.
Read: https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/
I enjoyed writing my first blog post last weekend, so I thought I'd write another one. This one is about a #bash script that became a #Python script and is now a package. All because I was too lazy to label plates and tubes in the lab by hand. The post is mostly about the history and motivation behind the package, i.e. the stuff that does't really fit into the README
Malicious Python #PyPI Packages Exploit Instagram and TikTok APIs to Validate Stolen User Accounts:
https://thehackernews.com/2025/05/malicious-pypi-packages-exploit.html
Backdoor implant discovered on PyPI posing as debugging utility
A sophisticated malicious package named 'dbgpkg' was detected on PyPI, masquerading as a Python debugging utility. The package implants a backdoor on systems, enabling execution of malicious code and data exfiltration. It uses function wrapping techniques to evade detection and is believed to be part of a larger campaign possibly linked to a hacktivist group known as Phoenix Hyena. The campaign also includes other packages like 'discordpydebug' and 'requestsdev'. The attackers' motivation appears to be geopolitical, potentially related to the Russia-Ukraine conflict. The use of specific backdooring techniques and tools like Global Socket Toolkit indicates a high level of sophistication and an intent to establish long-term presence on compromised systems.
Pulse ID: 68264a9cb2b105513148d978
Pulse Link: https://otx.alienvault.com/pulse/68264a9cb2b105513148d978
Pulse Author: AlienVault
Created: 2025-05-15 20:12:12
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
If you're at #PyConUS today and wanna chat, I'll be at a sponsor presentation this afternoon https://us.pycon.org/2025/schedule/presentation/153/
Or at @ThePSF booth in the Expo Hall during the Opening Reception
There are currently 636,000 #python projects on #pypi
By the time you read this there will be several more, to the tune of one every few minutes
#opensource tools, algorithms, frameworks for #datascience, #machinelearning, #webdev and much, much more, in principle accessible to everybody
What does this mean, where will this lead?
Your guess as good as mine. But this is emphatically *not* the world we used to live-in, until recently
Remember this when you are gloomy
Malicious PyPI Package Exposes Discord Developers to RAT Malware Threats
A deceptive Python package, 'discordpydebug,' has infiltrated the PyPI repository, targeting Discord developers with remote access trojan (RAT) malware. With over 11,000 downloads since its launch, th...
We're proud to announce that @gnuhealth is now an organization in the Python Package Index (#PyPI).
The organization makes it easy to find and explore our projects and packages.
We're proud to announce that #GNUHealth is now an organization in the Python Package Index (#PyPi). It's very easy to navigate our projects on pypi. 
There's a long tail in PyPI downloads.
Here's the 15k most popular packages from https://hugovk.github.io/top-pypi-packages/ charted. The second is with log scale.
Malicious #PyPI packages abuse #Gmail, #websockets to hijack systems
While preparing my talk, I found some (small) accessibility issues in pypi warehouse project but seems like only maintainers can raise issues and I don't know what to do now, other type of issues doesn't seems to fit.
Is there someone here I can talk to about that and eventually help for the fix?
