Security flaws hit PyTorch Lightning deep learning framework

Photo of lightning as popular deep learning framework, PyTorch Lightning, has been found to contain multiple critical security flaws that could potentially allow attackers to execute arbitrary code by loading untrusted model files.

Popular deep learning framework, PyTorch Lightning, has been found to contain multiple critical security flaws.

The deserialisation vulnerabilities, identified under the reference VU#252619, impacts all versions of the framework up to and including version 2.4.0 and could potentially allow attackers to execute arbitrary code by loading untrusted model files.

The discovery of these vulnerabilities was made by Kasimir Schulz from HiddenLayer and the disclosure was...

8 April 2025 | Artificial Intelligence

Python proposes standardised lock file format with PEP 751

Python wrapped around a lock as the community is set to adopt PEP 751 an enhancement aimed at improving dependency management and installation reproducibility that promises to streamline developer workflows, enhance security, and foster greater interoperability between various development tools for packaging.

The Python community is set to adopt PEP 751, an enhancement aimed at improving dependency management and installation reproducibility.

PEP 751 introduces a standardised file format, pylock.toml, designed to create an immutable record of both direct and indirect dependencies for Python environments. Recently marked as 'Accepted,' the proposal promises to streamline workflows, enhance security, and foster greater interoperability between various Python packaging...

2 April 2025 | Developer

Python package ‘set-utils’ targets Ethereum wallets

Photo of an Ethereum coin as researchers from Socket uncover a malicious package designed to steal private keys for Ethereum wallets to steal crypto within the Python Package Index (PyPI).

A malicious package designed to steal private keys for Ethereum wallets has been uncovered within the Python Package Index (PyPI).

According to Socket, this package – named 'set-utils' – masquerades as a utility for Python sets and has been actively targeting developers.

"The Socket Research Team has discovered a malicious PyPI package, set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions," the team...

6 March 2025 | Blockchain

Google deploys Data Science Agent to Colab users 

Screenshot of Google Colab as the company empowers data scientists and researchers with the deployment of the Data Science Agent to its Colab platform.

Google is empowering data scientists and researchers with the deployment of the Data Science Agent to its Colab platform.

For those unfamiliar, Google Colab is a free, cloud-hosted Jupyter Notebook environment allowing users to write and execute Python code within their browser. By providing free access to Google Cloud GPUs and TPUs, Colab has become a vital tool for running AI models and enhancing project collaboration with minimal infrastructure setup.

Google has now...

4 March 2025 | Artificial Intelligence

2024 Developer Ecosystem: Shedding AI fears, improving DevEx

Happy person sat at a computer illustrating the release of the 2024 State of Developer Ecosystem Report that highlights a number of key software development trends including the acceptance of AI in tools, split between desktop and mobile programming, growth in DevEx, and expected salaries.

Each year, JetBrains, the maker of developer tools like IntelliJ IDEA and PyCharm, compiles its "State of Developer Ecosystem Report," and the 2024 edition offers plenty of insights for the tech community to dissect.

Based on the input of over 26,000 developers worldwide, this year’s edition highlights key trends in programming languages, tools, and processes—placing a particular focus on AI adoption, career shifts, and the state of developer experience (DevEx). 

AI's...

11 December 2024 | Artificial Intelligence

Python package ‘fabrice’ steals AWS credentials

Red fabric illustrating the typosquatting of a popular Python package that steals AWS credentials from unsuspecting software developers on Linux and Windows.

The Socket Research Team has identified a malicious Python package named 'fabrice', which poses as the popular 'fabric' SSH automation library and steals AWS credentials from unsuspecting developers.

This discovery underscores the continuing risk of malware being delivered via deceptively named open-source libraries, following recent large-scale attacks that have targeted NPM users.

Since its live debut on the PyPI repository in 2021, 'fabrice' has been covertly...

7 November 2024 | Developer

Holistic’s open-source tools counter AI development risks

Woman punching illustrating the launch of Holistic AI open-source tools to counter artificial intelligence software development risks and algorithmic bias.

Holistic has unveiled an open-source library to help counter AI development risks and build fairer and more responsible systems.

The library – dubbed Holistic AI OSL – arrives at a crucial moment when organisations are increasingly deploying AI systems across sensitive domains including recruitment, healthcare, and financial services. Recent studies suggest that 65% of AI researchers and developers still consider bias a significant challenge in their work.

Holistic...

23 October 2024 | Artificial Intelligence

Entry points threaten multiple open-source ecosystems

Sign illustrating how vulnerabilities with entry points can be exploited by hackers to threaten open-source packages of multiple programming ecosystems.

While current tools have improved at detecting common tactics for exploiting open-source packages, a feature remains largely overlooked: entry points.

Security researchers at Checkmarx uncovered how attackers can leverage entry points across multiple programming ecosystems, with a particular focus on PyPI, to trick victims into running malicious code. This method – while not allowing for immediate system compromise – offers a subtler approach for patient attackers to...

14 October 2024 | Developer

North Korean hackers target developers in latest npm attack wave

A fresh offensive by suspected North Korean hacking groups has targeted the open-source software community with a series of malicious packages uploaded to the npm repository.

Identified by cybersecurity firm Phylum, the attacks leverage multiple techniques and appear designed to steal cryptocurrency and sensitive data from unsuspecting developers.

The campaign began on 12th August and involves several distinct publication patterns and attack types, suggesting the...

29 August 2024 | Developer

SQL, Python, and Java most sought-after skills

SQL, Python, and Java remain the most sought-after programming skills by employers, according to new research from System Design School. The study analysed job listings on Glassdoor, revealing the languages most frequently cited as required skills.

"In today's competitive job market, having the right skills is more important than ever, and this data provides clear evidence of the programming languages employers are seeking,” commented Sheldon Chi, ex-Google engineer and creator...

19 August 2024 | Analytics