Oof. If you were using any of the two libraries mentioned in this article, you might want to regenerate your and keys and review your projects.


@claudiom Yeah, this happens somewhat often, I wouldn't be shocked if it was common in node as well.

@seven Yeah, not surprised, especially since this is the third time according to the article. I had heard a while back about issues with malicious code in PyPI so this isn't news to me. Just thought I'd put that out as a PSA.

I know most Linux repositories use some sort of code signing, but does PyPI do that? Is it even possible to implement that on PyPI? 🤔

@claudiom It does, just nothing stopping you from name squatting, much like grabbing typod domains from a registrar

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!