After inadvertently finding that InfoSys leaked an AWS key on PyPi I wanted to know how many other live AWS keys may be present on Python package index. After scanning every release published to PyPi I found 57 valid access keys from organisations like: Amazon themselves 😅 Intel Stanford, Portland and Louisiana University The Australian Government General Atomics fusion department Terradata Delta Lake And Top Glove, the worlds largest glove manufacturer 🧤

Google has an automated tool to detect abusive images of children. But the system can get it wrong, and the consequences are serious.

Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm.

Google has an automated tool to detect abusive images of children. But the system can get it wrong, and the consequences are serious.

Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm.