There's a nasty #OpenSource #SupplyChain worm going around named Shai-Hulud. It's also capable of exposing some projects' long-lived PyPI API Tokens. Read more on what's happening, and what you can do to protect your projects.
TL,DR: Adopt Trusted Publishing 🔐🚀📦
RE: https://hachyderm.io/@miketheman/115618016841703831
Use Trusted Publishing instead of long-lived PyPI tokens. For other things, here's how to use 1Password with direnv to set secrets in env vars.
https://hugovk.dev/blog/2025/secrets-in-env-vars/
#security #1Password #direnv #cli #PyPI