Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/sethmlarson/statuses/113403733872568880">Seth Larson (sethmlarson@fosstodon.org)'s status on Friday, 01-Nov-2024 13:03:08 JST</a><a href="https://fosstodon.org/@sethmlarson" title="sethmlarson@fosstodon.org"><img src="https://gnusocial.jp/avatar/203009-48-20231021140729.webp" width="48" height="48" alt="Seth Larson" style="position: absolute; left: 0; top: 0;">Seth Larson</a><div><ul><li></ul></div></section><article><p>lottiefiles/lottie-player on NPM just yesterday had its publishing API tokens stolen and used to publish malware.</p><p>If you're using API tokens to publish to <a href="https://fosstodon.org/@pypi">@pypi</a> from GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState: please upgrade to Trusted Publishers to prevent these sorts of attacks.</p><p><a href="https://fosstodon.org/tags/security" rel="tag">#security</a> <a href="https://fosstodon.org/tags/oss" rel="tag">#oss</a> <a href="https://fosstodon.org/tags/opensource" rel="tag">#opensource</a> <a href="https://fosstodon.org/tags/python" rel="tag">#python</a></p><p><a href="https://docs.pypi.org/trusted-publishers/" rel="nofollow noreferrer">https://docs.pypi.org/trusted-publishers/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3915837#notice-7651060">In conversation</a><time datetime="2024-11-01T13:03:08+09:00" title="Friday, 01-Nov-2024 13:03:08 JST">about 3 months ago</time> <span>from <span><a href="https://fosstodon.org/@sethmlarson/113403733872568880" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@sethmlarson/113403733872568880">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Seth Larson (sethmlarson@fosstodon.org)'s status on Friday, 01-Nov-2024 13:03:08 JSTSeth Larson
- Python Package Index
lottiefiles/lottie-player on NPM just yesterday had its publishing API tokens stolen and used to publish malware.
If you're using API tokens to publish to @pypi from GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState: please upgrade to Trusted Publishers to prevent these sorts of attacks.
#security #oss #opensource #python
https://docs.pypi.org/trusted-publishers/
In conversationabout 3 months ago from fosstodon.orgpermalink

Public

Embed Notice

HTML Code

Corresponding Notice