You were given the choice between security and convenience. You chose convenience, and you will have neither convenience nor security

/en/linux/blog/ zero-trustsecurity

5/May/2026

authorRentaro

Only six months had passed, but the news feed continued to bring new funny vulnerabilities.
As usual, I don’t focus on system vulnerabilities in snapd / Rust Coreutils / Flatpak, or kernel (Copy Fail, Dirty Frag, Fragnesia, pidfd, PinTheft, GRO Frag) or AppArmor.

No matter how dangerous they may be, they are “conditionally” passive, meaning that if they are present, a number of factors and active actions from within or outside are required for successful exploitation.

I’m much more interested in tracking compromises of package distribution systems, libraries, and other package repositories.

Because these are “active” and direct attacks, they require almost no combination of factors; after downloading, they will immediately hit the developer’s repository, then collect their personal/financial/authorization information, and then continue to act in a chain fashion on all servers to which they had access.

Meta-Wiki & Ololoshka

A Staff Security Engineer at the Wikimedia Foundation accidentally imported a malicious script to his account.

• Wikipedia mass admin account compromise
• Wikimedia wikis locked / Accounts compromised

Telnyx package compromise

756 thousand downloads per month.

• PyPI versions 4.87.1 and 4.87.2 are compromised
• Popular telnyx package compromised on PyPI

Everything is as usual:

• *.env
• ~/.aws/credentials
• ~/.ssh/
• ~/.gitconfig
• ~/.kube/config
• ~/.npmrc
• ~/.docker/
• ~/.pypirc
• ENV:
  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • GOOGLE_APPLICATION_CREDENTIALS
  • NPM_TOKEN
  • TWINE_PASSWORD
• Crypto Wallets

Supply-chain compromise: Trivy → LiteLLM PyPI

95 million downloads per month.

• litellm PyPI package compromised

Collects:

• SSH keys
• environment variables (API keys, secrets)
• AWS/GCP/Azure/K8s credentials
• Crypto Wallets
• database passwords
• SSL private keys
• shell history
• CI/CD configs

Compromise elementary-data via GitHub Actions

PyPI, GitHub repository, and official Docker-registry image are affected.

1.1 million downloads per month.

• Malicious release of Elementary OSS Python CLI v0.23.3
• Malicious elementary.pth file in release 0.23.3

Script collects:

• Yeah, it looking for the same stuff. ｡^‿^｡

Constant questions

After reading such news, I constantly have questions:

• What do keys/tokens do next to the running project?
  Although, if you really want to, you can carry out development separately from other projects.
• Why keep all projects under one system account?
• What do crypto wallets do under these system accounts?

Perhaps this and previous publications will be enough for me to serve as arguments in the dispute with colleagues about “Why am I overcomplicating the configuration of my own system so much?”