@miketheman.com.bsky.social
Code Gardener. Wrangler of the Unusual. Roller Derby referee. AWS Hero. PyPI Maintainer. Shakshuka lover. he/him https://miketheman.dev
The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information:
07.08.2025 16:17 β π 9 π 5 π¬ 0 π 0
π³οΈ Nominations for the 2025 PSF Board election are open!
Help shape the future of the PSF β nominate yourself or someone you think would be a great PSF Board Director by Tuesday, August 12th, 2:00 pm UTC.
The PSF Grants Program has been temporarily paused after hitting our 2025 funding cap early.
It was an extremely difficult but necessary decision to ensure the program and foundationβs near and long term sustainability. Learn more on our blog: pyfound.blogspot.com/2025/08/the-...
Let it never be said that this administration is operating in the interest of the greater good
03.08.2025 15:21 β π 1 π 0 π¬ 1 π 0
Incident Report of the recent #PyPI Phishing Campaign
TL,DR:
β’ PyPI was not breached
β’ PyPI users were targeted with phishing emails
β’ A single project saw uploads with malicious code and those releases have been removed
blog.pypi.org/posts/2025-0...
#Python #OpenSource #Security
Decent guidance for interaction with anyone
29.07.2025 22:31 β π 1 π 0 π¬ 0 π 0I remember when Google did that for JavaScript with Grasshopper before they shut it down. It was fun, and engaging, so I totally would like to see one for Python!
28.07.2025 22:07 β π 0 π 0 π¬ 0 π 0
Always verify the domain is pypi.org before logging in.
Read more: blog.pypi.org/posts/2025-0...
Heads Up, #Python Developers!
There is an active phishing attack targeting PyPI users.
β’ Threat: Emails from noreply@pypj.org (with a 'j') link to a fake login page.
β’ Action: Do not click any links. If you already did, change your PyPI password ASAP.
β’ Note: PyPI itself has not been breached.
π¨ Be aware there's a potential phishing campaign targeting #PyPI / #Python package maintainers:
discuss.python.org/t/phishing-a...
Yep. But if you have their orchestration, this can still help.
Maybe another one could examine the other service for vulnerable pattern?
A good tool in the GitHub Actions toolbox is zizmor.
Plenty of audits on permission scopes.
docs.zizmor.sh
Woohoo nicely done!!
25.07.2025 22:24 β π 1 π 0 π¬ 1 π 0
You can be a part of guiding the future direction of the PSF π©΅ππ Nominate yourself or someone else for the PSF Board for the 2025 election! Nominations open Tuesday, July 29th, 2:00 pm UTC and close Tuesday, August 12th, 2:00 pm UTC. #python
24.07.2025 14:05 β π 8 π 3 π¬ 0 π 1Those are gorgeous, and probably one of the few things that I'm jealous of you outside the city
22.07.2025 15:28 β π 1 π 0 π¬ 1 π 0Thankfully, N > me, and they specialize in analysis and reporting, but it puts extra drain on them and us, cutting into the time better spent on **actual** problems, not your "see? I can poke another hole in a well-known place that allows for holes!" claims.
If you truly want to help, join in.
The impact you have on the ecosystem at large does more harm than good - every time a new "this is for research, don't install this!" project gets uploaded, N amount of other security teams spend resources to review & confirm your garbage, and then escalate to me for further review & removal.
22.07.2025 14:54 β π 1 π 0 π¬ 1 π 0Dear Open Source Supply Chain Security Researchers,
I am glad you get paid to to a job in security, it's very important!
Please please please read the Acceptable Use Policies of services you "attack" - your work puts an ever-increasing drain on already-thin human resources.
Graph titled "TIOBE Programming Community Index" and subtitled "Source: www.tiobe.com", showing difference colored lines rising and falling. The left hand column shows "Ratings %" and the bottom row shows years, 2002 through 2024. Underneath, there is a line listing different programming languages, including Python. Underneath, there is a small chart showing Python as #1 with a rating of 26.98% and an increase of 10.85%.
Python jumped 10%+ on the TIOBE index this month π€©ππ thanks to the entire #Python communityβmaintainers, educators, contributors, and usersβfor helping make Python what it is today!
www.tiobe.com/tiobe-index/
I found @jimgaffigan.bsky.social and wife Jeannie, wandering a pedestrian mall in downtown Jerusalem, and led them to the venue he was trying to find, to perform that night.
I live in NYC
Screenshot from Airplane! movie with words overlaid "We have your clearance, Clarence" "Roger, Roger. What's our vector, Victor?
At AWS Summit NY Keynote, and it's all GenAI or related stuff. All I can hear is this phrase over and over
#AWSSummit #AWSSummitNYC
We want your vote! Voting-eligible PSF Members (Supporting, Contributing, and Fellow) need to affirm their membership to vote in this yearβs Board election to ensure that we meet quorum as required by our Bylaws π³οΈ #python pyfound.blogspot.com/2025/07/affi...
16.07.2025 12:51 β π 1 π 5 π¬ 2 π 0I swear some days you're checking to see if we can discern Al from AI.
15.07.2025 11:59 β π 1 π 0 π¬ 0 π 0Seek out @monorepo.bsky.social who is probably at EuroPython to get some inside track on infra resources used
14.07.2025 23:31 β π 1 π 0 π¬ 1 π 0I'd be curious if you do model PyPI carbon footprint, how you do that and what conclusions you come to!
14.07.2025 21:18 β π 2 π 0 π¬ 1 π 0
Wow, what a trip! I had forgotten about that keynote, just rewatched.
youtu.be/fJOSX-W0yHA?...
Seems still quite relevant, other than Twitter π
Do you recall my Velocity 2013 talk? Of course not! π
My #1 takeaway for professional self-preservation back then was "Learn code" and it stands true today.
You know when you've been writing too much code when you routinely mistype `calls` as `class`.
Damn muscle memory.
See pypi.org/stats/#:~:te... for what others have done to query stats
07.07.2025 14:24 β π 1 π 0 π¬ 0 π 0
Follow this discussion: discuss.python.org/t/pep-792-pr...
07.07.2025 14:22 β π 0 π 0 π¬ 0 π 0
