A fake invoice PDF, layered shortcuts, and public tunnel infrastructure form a compact delivery chain that can swap between multiple remote access trojans without changing the user-facing lure.
A threat-intelligence report points to Dropbox URLs and TryCloudflare Quick Tunnels being used to move malicious Python packages toward AsyncRAT, showing how familiar infrastructure can be bent into a delivery layer for malware.
A cluster of newly weaponised Python artefacts shows how package registries can become code-execution traps for developers and CI/CD systems.
A new wave of malicious PyPI artifacts shows how a small packaging trick can turn routine developer workflows into startup-time execution risk, especially in MCP-linked environments.
A malicious project on Python’s main package index shows why trust in open-source software now starts with name verification, not just reputation.
A PyPI typosquat built to resemble the parsimonious parser library shows how easily trusted package names can be turned into bait for developers.
A reported campaign tied to TeamPCP shows how a single AI middleware package can become a high-value path to secrets, even when the exact compromise method remains unclear.
Three PyPI releases tied to Microsoft’s DurableTask Python client were marked malicious and quarantined, turning a routine dependency into a supply-chain warning for automation-heavy teams.
A PyPI version with no matching upstream trail turned a routine dependency check into a lesson in software provenance, release governance, and build-time trust.
A tampered PyPI release can turn a routine dependency install into a supply-chain risk, especially when developers treat an SDK as trusted infrastructure.
A trusted open-source tool with over a million downloads was weaponized overnight, exposing sensitive developer credentials and crypto wallets worldwide.
A polished PyPI package duped developers, hijacked a university’s AI backend, and siphoned private user data-all under the guise of a “secure” proxy.