This page collects WhisperX intelligence signals tagged #pypi. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
The threat actors behind the recent Trivy supply-chain breach have escalated their campaign, now poisoning the Python Package Index (PyPI) with malicious versions of the Telnyx SDK. This latest attack aims to infect developers' systems with credential-stealing malware, marking a continued and aggressive exploitation of...
A critical supply chain vulnerability has been identified in a gateway framework that automatically installs missing Python packages without verification. The flaw, documented in a security disclosure, stems from code that attempts to install dependencies like flask, requests, and flask-cors via subprocess on import if...
A path traversal vulnerability in setuptools' PackageIndex.download function allows remote attackers to write files to arbitrary locations on a target system. The flaw, tracked as CVE-2025-47273 and assigned GHSA-5rjg-fvgr-3xxf, was addressed in version 78.1.1, prompting an urgent dependency update from the prior v70.0...
Security researchers at Kaspersky have uncovered a supply-chain threat targeting developers on PyPI, the dominant Python package repository. Three malicious packages were found implementing their advertised functionality while simultaneously delivering a previously undocumented malware family dubbed ZiChatBot, capable ...
A threat actor identified as TeamPCP has launched a sophisticated supply chain attack campaign, dubbed "Mini Shai-Hulud," targeting npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. The campaign represents a significant escalation in the actor's ongoing campaign against software de...
A sophisticated supply-chain attack campaign dubbed "Shai-Hulud" has compromised hundreds of packages across the npm and PyPI package registries, distributing credential-stealing malware directly into developer environments. The campaign represents a calculated targeting of the software development ecosystem, exploitin...
Microsoft has initiated an investigation into a compromised Python package uploaded to the Python Package Index (PyPI) under the Mistral AI branding. Security researchers have confirmed the malicious package, identified as version 2.4.6, is connected to the broader Mini Shai-Hulud supply chain campaign, highlighting th...
A sophisticated supply chain attack has compromised TanStack and over 160 packages across the npm and PyPI ecosystems, security researchers at Orca Security report. The attack, characterized as a self-propagating worm, represents a significant escalation in software supply chain threats, targeting widely-used developer...
A sophisticated supply chain attack campaign has compromised 172 npm and PyPI packages since May 11, embedding a credential-harvesting worm that survives package removal on affected development workstations. Security researchers warn that any environment that installed or imported these packages should be treated as co...
A threat actor identifying as TeamPCP has claimed responsibility for breaching Mistral AI, the French artificial intelligence company confirmed on Tuesday, in an incident that remains under active investigation. The company simultaneously disclosed that it was impacted by the TanStack supply chain attack, which involve...