Python

• LangChain and LangGraph CVEs Expose Files, Secrets, and Conversation History Across 84 Million Weekly Downloads March 27, 2026

  Three CVEs in LangChain and LangGraph - path traversal, serialization injection, and SQL injection - expose files, environment secrets, and conversation history in frameworks downloaded 84 million times per week.

• LiteLLM PyPI Supply Chain Attack: The .pth File That Steals Everything March 24, 2026

  LiteLLM versions 1.82.7 and 1.82.8 on PyPI contain a malicious .pth file that auto-executes a credential stealer on every Python interpreter startup -- no import required. The same TeamPCP infostealer that hit Trivy in March.

• OpenAI Acquires Astral: The Python Toolchain Moves Inside Codex March 19, 2026

  OpenAI is acquiring Astral -- the team behind uv, Ruff, and ty, with hundreds of millions of monthly downloads. The tools that manage Python environments, lint code, and enforce type safety are moving inside Codex. What changes, what doesn't, and what the governance questions are.