A critique of existing SAST tools for Python security analysis and introduction of Python Code Audit, a new FOSS-licensed, local-first static code scanner designed for simplicity and Python-specific vulnerability detection without executing code.
Analysis of 15,000+ top PyPI packages reveals only 1.58% ship with SBOMs (238 packages), all CycloneDX format with zero SPDX adoption. The study, enabled by PyPI-TEA (a PEP 770 bridge to the Transparency Exchange API), identified 37 invalid SBOMs all tracing to a single cargo-cyclonedx bug and highlights the urgent need for improved SBOM adoption in the Python ecosystem.
utm-builder is a CLI tool for bulk generating UTM-tagged tracking links from CSV inputs with validation and audit capabilities, sold as a one-time $1.99 purchase.
A Flask/Jinja2 template injection vulnerability was discovered in an email generation utility that evaluated user input in email subject fields. The attacker exploited Python object introspection through Jinja2 syntax to access the file class and read sensitive files including configuration files with API keys and encryption keys from a GCE instance.
A bug bounty writeup describing the exploitation of a payment application through combined rounding logic errors (0.009 rounded to 0.01 without card verification) and race conditions in concurrent request handling to bypass deposit minimums and arbitrarily increase account balance.
Interview with Nathan Goldbaum on his work eliminating Python's GIL and modernizing the Python scientific ecosystem, including discussions on standardization via the Array API, package management advances (Conda, Pixi), and increasing Rust adoption in scientific computing.
AVA is a self-hosted, open-source AI voice agent that integrates with legacy Asterisk phone systems via ARI, supporting multiple STT/LLM/TTS providers (both cloud and local) with advanced barge-in detection and adaptive audio transport orchestration to bridge SIP/RTP with modern WebSocket streams.