AWS Glue for Spark のジョブから、AWS CodeArtifact を経由して PyPI のライブラリをインストールする
https://dev.classmethod.jp/articles/aws-glue-for-spark-aws-codeartifact-pypi/

The fine tradition of "releasing a package to #pypi for the bit" continues at #NBPy thanks to @amethyst

https://pypi.org/project/do-while/

New data about packages on #PyPI: https://github.com/sethmlarson/pypi-data/releases/tag/2025.04.25

dear #python #lazyweb #pypi

Should I bother listing specific python versions in classifiers, like Programming Language :: Python :: 3.13" when there's also requires-python in pyproject.toml?

Also should I take the trouble of specifying Python :: 3 :: Only in 2025?

While preparing my talk, I found some (small) accessibility issues in pypi warehouse project but seems like only maintainers can raise issues and I don't know what to do now, other type of issues doesn't seems to fit.
Is there someone here I can talk to about that and eventually help for the fix?

I'm trying to publish a #Python package (chirun) on #PyPI.

It depends on a fork of another package that has some bug fixes that I'm waiting to be merged into the original package.

PyPI doesn't like me specifying a git repo address as a dependency.

Do I need to publish the fork on PyPI in order to use it as a dependency in chirun?

Malicious PyPi Package Detected Stealing Crypto Tokens

A malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and steals crypto tokens. The package overrides certain API functions, redirecting trading requests to a malicious server at greentreeone.com instead of the legitimate MEXC platform. It uses obfuscation techniques to hide its malicious code and tricks users into believing their orders are being processed normally. The attackers can potentially steal API keys, secrets, and other sensitive information used for crypto trading. Users are advised to revoke any compromised tokens and remove the malicious package immediately.

Pulse ID: 67ffc3f9b1d4fcf877bf0734
Pulse Link: https://otx.alienvault.com/pulse/67ffc3f9b1d4fcf877bf0734
Pulse Author: AlienVault
Created: 2025-04-16 14:51:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

[Перевод] Когда ИИ становится троянским конем: 43% «галлюцинированных» имен пакетов регулярно повторяются в сгенерированном коде

AI-помощники регулярно "галлюцинируют" несуществующие пакеты, а злоумышленники используют эти имена для размещения вредоносного кода в репозиториях. Исследования показывают, что 5.2% рекомендаций пакетов от коммерческих моделей не существуют, а для open-source моделей этот показатель достигает 21.7%. Эта техника, названная "слопсквоттингом" (slopsquatting), особенно опасна в эпоху "vibe coding", когда разработчики безоговорочно доверяют рекомендациям AI.

https://habr.com/ru/articles/901198/

I have just published shaclgen 3.0.0b1, please test: https://pypi.org/project/shaclgen/3.0.0b1/

There was no release of #shaclgen since almost 5 years. There were many changes in between including major #rdflib releases. A changelog can be retrieved from the commit history.

The GREATEST, most TREMENDOUS Python package that makes importing great again!
https://pypi.org/project/tariff/
#Python #USPOL #PYPI

PyPi approved our Org! It only took just shy of 18 months. Hopefully this means the backlog is now getting sorted for everyone.

I'm playing around with some frontend webdev stuff on #guix. There is a library on #pypi that is wheels only that includes binary of nodejs with js scripts which in turn download web browser libraries. It's a real fun trying to use this on a distro that is source only.

If you are scratching your head like me for random and weird CI/CD issues related to PyPI for the past hour: you’re not alone.

PyPI is experiencing intermittent issues HTTP 5xx responses as well as occasional "No matching distribution found" errors using pip.

Urgent: Malicious Python packages on PyPI steal sensitive data; over 39,000 downloads affected. #PythonSecurity #PyPI #Cybersecurity

More details: https://cyberpress.org/pypi-malware-targets-e-commerce-platforms/ - https://www.flagthis.com/news/12731

#Carding tool abusing #WooCommerce API downloaded 34K times on #PyPI

https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/

#Python's #PyPI Finally Gets Closer to Adding 'Organization Accounts' and SBOMs

https://developers.slashdot.org/story/25/04/05/0515241/pythons-pypi-finally-gets-closer-to-adding-organization-accounts-and-sboms

Malicious Python package 'disgrasya' on PyPI automates credit card fraud against WooCommerce/CyberSource. #pypi #ecommerce #cybersecurity

More details: https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/ - https://www.flagthis.com/news/12679

Currently transferring all #Tryton's packages to tryton organization on #PyPI

https://pypi.org/org/tryton/

I'm not responding to anything that has happened yet today, but given the past couple weeks, I'm thinking I should just add pipx upgrade yt-dlp to a cronjob on all my computers now. XD

(Like, every third day or so, to be kind to the #PyPI servers ^__^)

#Youtube's war against its own users is getting nuts.