Python Developer Tooling Handbook – Security

PyPI Moved 1.92 Exabytes Last Year. Its Safety Team Is One Person.

Tim Hopper — Wed, 20 May 2026 00:00:00 +0000

On July 26, 2025, PyPI maintainers received phishing emails pointing at pypj.org. The domain proxied the real PyPI login page in real time. The address bar showed hxxps://pypj.org/, the lowercase j close enough to an i that four maintainers signed in anyway. The proxy captured each TOTP code in the fraction of a second PyPI accepted it, logged in, generated API tokens, and uploaded two malicious releases of num2words (0.5.15 and 0.5.16) before anyone noticed. PyPI shipped a phishing-domain detector on July 28 at 11:37 EDT and revoked the tokens; the registrar parked the domain shortly after.

Lightning Got Owned: When `import lightning` Steals Your Credentials

Tim Hopper — Thu, 30 Apr 2026 00:00:00 +0000

import lightning shows up at the top of millions of PyTorch training scripts. On April 30, 2026, that line was enough to ship a developer’s credentials to an attacker.

Two malicious versions of the lightning PyPI package, 2.6.2 and 2.6.3, were uploaded today. Lightning averages 311 thousand downloads a day, and any CI that ran uv sync --upgrade between the upload and the takedown pulled the bad wheel. Neither version corresponds to a GitHub release on Lightning-AI/pytorch-lightning; the latest tagged release there is still 2.6.1 from January 30. The bad code was uploaded directly to PyPI, which is the same pattern as the litellm compromise six weeks ago. Socket flagged both releases 18 minutes after upload, and PyPI has since quarantined the entire project.

Astral told you how they secure uv. Here's what to keep.

Tim Hopper — Thu, 16 Apr 2026 00:00:00 +0000

Astral published a detailed writeup of how they secure the org that ships uv, Ruff, and ty. It’s a good post. It’s also, for most readers, the wrong post.

Most of what Astral describes is team-scale GitHub hygiene: org-wide branch protection rulesets, workflow audits with zizmor, action pinning with pinact, isolated GitHub Apps for privileged operations. If you run a project with outside contributors, read the whole thing. If you’re one person shipping a Python package, a lot of it is overkill for the threat model you actually face.

PyPI's Second Audit Found 14 Bugs. Two Remain.

Tim Hopper — Thu, 16 Apr 2026 00:00:00 +0000

PyPI completed its second external security audit today. Trail of Bits found 14 issues in the Warehouse codebase: 2 High, 1 Medium, 7 Low, 3 Informational, 0 Critical. Twelve were patched. Two were accepted as known gaps. The work was funded by the Sovereign Tech Agency, with remediation by PSF’s Mike Fiedler through Alpha-Omega support.

An audit of PyPI is an audit of the index infrastructure, not of the packages hosted on it. None of the findings describe malware in the wild. The patched bugs are the predictable part; the accepted ones are where the signal lives.

LLM-Powered Copycats Are Flooding PyPI

Tim Hopper — Wed, 08 Apr 2026 00:00:00 +0000

A developer named Roman Dubrovin published repowise, a tool for generating structured wikis from codebases, as his first PyPI package. The next morning, he searched for it on PyPI and found three new packages he didn’t recognize: repowise-pro, repowise-enhanced, and repowise-next.

All three had been uploaded within a 90-minute window. All three carried the same description: “Codebase intelligence that thinks ahead — outperforms repowise on every dimension.”

They weren’t empty shells. Someone had forked Dubrovin’s AGPL-3.0 licensed source code, run it through an LLM to patch a couple of minor issues, and republished under new names without attribution or license compliance. A community member confirmed that all three packages traced back to the same person and the same GitHub repository.

LiteLLM Got Owned, and Your Dependencies Might Be Next

Tim Hopper — Tue, 24 Mar 2026 00:00:00 +0000

Earlier today, someone published malicious versions of litellm (versions 1.82.7 and 1.82.8) to PyPI. No corresponding release appeared on GitHub. The package was uploaded directly to PyPI, bypassing the normal release process, which points to a compromised maintainer account or token.

What the malware did

The payload was a .pth file named litellm_init.pth. Python executes .pth files automatically on interpreter startup, so the malware ran without any user interaction once the package was installed.

Pydantic Monty: A Secure Python Interpreter for AI Agents

Tim Hopper — Fri, 06 Feb 2026 10:00:00 -0500

Pydantic has released Monty, a minimal Python interpreter written in Rust for safely executing LLM-generated code.

AI agents that generate code face a tradeoff: trust the generated code completely, or spin up containers for isolation. Containers are slow and resource-intensive. Trusting arbitrary code is risky. Monty sidesteps both by sandboxing execution at the interpreter level, blocking dangerous operations while running Python in microseconds.

How It Works

Monty provides a straightforward API:

Dependabot Now Supports uv

Tim Hopper — Fri, 14 Mar 2025 09:26:00 +0000

As of March 13, 2025, Dependabot officially supports uv.

Dependabot monitors repositories for outdated or insecure dependencies and creates pull requests to update them. GitHub’s tool supports npm, pip, Maven, Docker, and now uv.