PyPI Packages Keep Getting Compromised — Can Pixi and Rattler's Signing Help?
·2084 words·10 mins
LiteLLM, Telnyx, and hundreds of PyPI packages compromised in 2025-2026. Rattler has Sigstore signing, pixi has Trusted Publishing — but neither verifies at install time. Here’s what works, what’s missing, and how an agentic builder could close the gap.