2026-04-17T15:12:24Z https://yabu.me Python Package Index https://yabu.me/npub1g52zm7t45x9srp48swy44hc03k2qzkckd63vyqfl0jvnvkzz8n0ql68fy6 https://cdn.fosstodon.org/accounts/avatars/110/460/563/228/175/137/original/3ae1e745c2f1e485.jpg https://cdn.fosstodon.org/accounts/avatars/110/460/563/228/175/137/original/3ae1e745c2f1e485.jpg https://yabu.me/nevent1qqsts79cur532sdx3v9xz7000s998cmgnfezunhy4hwg3rw7f7cdejqzypz3gt0ewksckqvx57pcjkklp7xegq2mzeh29ssp8a7fjdjcgg7du4ep5kq 🔎🔐 #PyPI has completed its second external #security audit! Thanks to <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub1yng6dx32zrl2qhp2kq26al7uzkwqkugrkaxf4gsycs9r5snrkjdqlznhrk" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>Sovereign Tech Agency</span> (<span class="italic">npub1yng…nhrk</span>)</a></span> for funding, <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub1rcsevfzqfj6xzk0rajfaftsnq4f4wewydfyxd9u46jch4sxta60qjz7sw8" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>Trail of Bits</span> (<span class="italic">npub1rcs…7sw8</span>)</a></span> for the audit, and Alpha-Omega for supporting rapid remediation. Find the full report on the Trail of Bits publication page. #Python<br/><a href="https://blog.pypi.org/posts/2026-04-16-pypi-completes-second-audit/">https://blog.pypi.org/posts/2026-04-16-pypi-completes-second-audit/</a> 2026-04-16T13:26:36Z https://yabu.me/nevent1qqs9d02asgznaw5avj26nw04mwp09jlg56vmv7nzxuus0089avf5w8czypz3gt0ewksckqvx57pcjkklp7xegq2mzeh29ssp8a7fjdjcgg7duxwp8aj A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:<br/><a href="https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/">https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/</a> 2025-09-26T12:45:39Z https://yabu.me/nevent1qqsqejyq07f4dennjye3j9x8cz2240e7kdrtuerqsnk660nscqqa2qszypz3gt0ewksckqvx57pcjkklp7xegq2mzeh29ssp8a7fjdjcgg7dufdnqsn PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security<br/><a href="https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/">https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/</a> 2025-08-18T17:32:48Z