WeLiveSecurity

A pernicious potpourri of Python packages in PyPI

PyPI is popular among Python programmers for sharing and downloading code. Since anyone can contribute to the repository, malware – sometimes posing as legitimate, popular code libraries – can appear ...
Neowin

Package Analysis Project: Google will help detect malicious open source packages

Google has pledged support for OpenSSF's Package Analysis Project for open source packages uploaded to popular repositories. It has also published the results which paint a rather interesting picture.
CSOonline

Google launches dependency API and curated package repository with security metadata

This week, Google launched a free API service that provides software developers with dependency data and security-related information on over 5 million software components across different programming ...
InfoWorld

PDM: A smarter way to manage Python packages

Modern Python developers use virtual environments (venvs), to keep their projects and dependencies separate. Managing project dependencies gets more complex as the number of dependencies grows.