lottiefiles/lottie-player on NPM just yesterday had its publishing API tokens stolen and used to publish malware.
If you're using API tokens to publish to @pypi from GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState: please upgrade to Trusted Publishers to prevent these sorts of attacks.
@sethmlarson I'm already using Trusted Publishers but this is also a good reminder to delete those old keys from @pypi: I just deleted three last used in 2023, and one that had never been used.
@sethmlarson @pypi We're waiting for https://github.com/pypi/warehouse/issues/11096, but it looks like there finally is some progress on that front!