Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Alpha-Omega × Python Software Foundation (PyCon...
Search
Seth Michael Larson
June 16, 2026
50
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Alpha-Omega × Python Software Foundation (PyCon US 2026 Sponsor Presentation)
Seth Michael Larson
June 16, 2026
More Decks by Seth Michael Larson
See All by Seth Michael Larson
PSF Security Engineer Update (PyCon US 2026)
sethmlarson
0
46
The future of trust stores in Python
sethmlarson
0
750
Python HTTP Clients
sethmlarson
0
250
Featured
See All Featured
4 Signs Your Business is Dying
shpigford
187
22k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.8k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Statistics for Hackers
jakevdp
799
230k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
270
VelocityConf: Rendering Performance Case Studies
addyosmani
333
25k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
750
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
790
Thoughts on Productivity
jonyablonski
76
5.2k
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
2
590
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
Transcript
[email protected]
WHAT WE’VE DONE AI IS CHANGING EVERYTHING HOW WE’RE
PLANNING TO SURVIVE Python Security
Alpha-Omega “Protect society by catalyzing sustainable security improvements to the
most critical open source software projects and ecosystems”
Python Software Foundation Security Developer Seth Larson Mike Fiedler PyPI
Safety & Security Engineer
“AI is changing everything” ≈ Security Tools + LLMs
What to expect: • Security Focus Areas • What’s the
Plan? • How YOU can Prepare • Q&A
Malware goes up and to the right
Watering Hole Attacks
“Watering Hole Attacks” Shai-Hulud, LiteLLM, Trivy, Phishing API Tokens Accounts
CI/CD Pipelines Cryptocurrency Ransomware Credentials Repeat 🔁 Malicious Release 📦😈
None
40-50% of installs are not locked/pinned!!!
Trusted Reporters & Quarantine
Python Package Index Audit #2
PyPI: Second Audit
Dependency Cooldowns Now in pip v26.1+ Available in uv, dependabot,
renovate
Security Vulnerabilities
Vulnpocalypse # Vuln Reports 📈 # Patches, Advisories 📈 Time
to Exploit 📉
~65 CVEs
None
None
7+ vulnerabilities in CPython, pip, uv 1 Critical, 3 High
Mitigated with PyPI 💡 Hypothesis + OSS-Fuzz
What’s next for PSF × Alpha-Omega?
Goal: Mitigate “Watering Hole” Attacks
Stop Watering Hole Attacks • Python Package Index: ◦ Trusted
Reporters (Auto-Quarantine) ◦ More Trusted Publishing providers ◦ Relinquishing Privileges? ( sudo Mode) ◦ “Staged Releases” • CPython: ◦ “Secure Distributions”
Goal: Improve Ecosystem Vulnerability “Capacity”
Threat Model Guide Scanning Projects Sec. Engineer Time Incident Response
How to prepare ...as a maintainer?
How to prepare ...as a maintainer? Know who to call:
[email protected]
[email protected]
How to prepare ...as a maintainer? #1: Zizmor #2: CodeQL,
Semgrep, Fuzzer, LLM
How to prepare ...as a maintainer? Threat Model “What isn’t
a vuln?”
How to prepare ...as a maintainer? Security Policy “CoC. Respect
maintainer time”
How to prepare ...as a maintainer? Vulnerability Reporting (Tickets)
How to prepare ...as a user?
How to prepare ...as a user? Lock your deps! pylock.toml,
uv.lock requirements.txt w/hashes
How to prepare ...as a user? Dependency Cooldowns
How to prepare ...as a user? Vulnerability Scanning
How to prepare ...as a user? Prepare for faster vuln.
patching and exploitation
[email protected]
8 TALKS! Saturday, May 16th 10:30am-5:30pm Room 103ABC NEW
Security Talk Track
THANK YOU! Q&A PSF Alpha-Omega PyPI