紧急警告：你的 pip install 正全盘失守！ 大神 Karpathy 亲自跳了出来，给这件事定了个性：Software Horror。 LiteLLM，月下载量 9700 万的 Python 库，被黑客组织 TeamPCP 植入了恶意代码。 只要你执行了 pip install litellm，你机器上的 SSH 密钥、AWS/GCP/Azure 凭证、Kubernetes 配置 ...

慢雾首席信息安全官 23pds 发推表示，月下载量高达 9700 万次的 Python AI 网关库 LiteLLM 遭遇 PyPI 供应链攻击，攻击者通过 pip install litellm 指令即可在用户设备上窃取敏感信息。可窃取的敏感数据包括：SSH 密钥、云服务凭据（AWS / GCP / Azure）、Kubernetes 配置文件、Git ...

Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain ...

The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. Accessible at pypi.org, PyPI is the default ...

Python developers often need to install and manage third-party libraries. The most reliable way to do this is with pip, Python’s official package manager. To avoid package conflicts and system errors, ...

Cybersecurity researchers have found harmful software in the official Python Package Index (PyPI) and npm package repositories, putting software supply chains at risk. The packages, called termncolor ...

The Python Software Foundation warned users this week that threat actors are trying to steal their credentials in phishing attacks using a fake Python Package Index (PyPI) website. PyPI is a ...

Abstract: Python is the top popular programming language used in the open-source community, largely owing to the extensive support from diverse third-party libraries within the PyPI ecosystem.