2.7 million users downloaded the malicious version during that time, 730,000 are still on that version. This article looks at the timeline, how the compromise happened and what users need to do.
Similar to what happened with NPM a few weeks back, the Python repository had a number of malicious libraries with names very similar to the real ones, like 'crypt' instead of 'crypto'.
Related to the above two articles, Wired looks at how compromising the software supply chain seems to become more popular as an attack vector.
It's an open-source project that allows enterprises to monitor security controls and alert on incorrect security settings.
Good article describing this vulnerability. It's an interesting bug, and does have similarities with Heartbleed, but in practice it's not a huge problem. Patches have been made available.
Vevo is an online video release service working with some big names, you've probably seen them on Youtube . An employee of theirs was compromised through a LinkedIn phishing attack.
They urge developers to use HTTPS instead of FTP for public-facing downloads.
It's free of charge. All you have to do is hook a verified domain to your app, after which App Engine provisions a certificate and keeps it renewed.
Good article explaining the usefulness of a CAA record. In short: it's a sort of whitelist of which CA's (Certificate Authorities) are allowed to issue certificates for your domain. All CA's are now forced to adhere to it. Worth looking into.