Talk
Python package ecosystems are increasingly targeted by supply-chain attacks that compromise legitimate projects, CI/CD pipelines, and publishing credentials. In this talk, we will examine recent real-world incidents such as the Ultralytics compromise and the 2026 TeamPCP campaign affecting LiteLLM and Telnyx on PyPI, then break down how attackers moved from initial compromise to malicious package release. Rather than focusing only on threat headlines, the talk will show practical defenses maintainers and users can adopt immediately: Trusted Publishing, hash-locked dependencies, dependency auditing with pip-audit, secret rotation, and provenance verification with Sigstore and SLSA. The goal is to leave attendees with a clear mental model of Python supply-chain risk and a checklist they can apply to their own projects the same day.
Audience level: Intermediate
What attendees will learn:
• How recent Python supply-chain attacks actually worked.
• How to recognize the most common failure points in publishing and dependency workflows.
• Which controls meaningfully reduce risk for maintainers and consumers.
Why this talk now:
Recent incidents show that attacks are no longer limited to fake packages; legitimate PyPI projects
can be compromised through CI, tokens, and upstream dependencies. Python developers need a
practical, current defense model that fits real workflows.
About the Speaker
ex-AWS engineer, AWS Community Builder, and award-winning technology leader with 22+ years in software engineering, large-scale systems, and product development. Led teams at Amazon Web Services across Australia, building solutions for massive-scale network infrastructure management.
As an adjunct lecturer at the American University of Armenia and AWS Academy accredited instructor, I teach cloud-native development, AWS services, and operational excellence principles.
My conference talks focus on operational excellence, AWS best practices, secure software supply chains, production-ready engineering, and Rust for systems programming.
I help developers build reliable, scalable, and secure systems through actionable techniques drawn from real-world AWS deployments, large-scale operations, and modern language practices.
Passionate about empowering engineering teams to achieve operational excellence through strong company culture, cognitive science principles, and robust software engineering practices while maintaining security and scalability in cloud and systems environments.