https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection Pip cache poisoning - pretty neat breakdown. I'd never heard of zizmor, but seems to be a static analysis for GHA. It would be beyond hilarious if zizmor was malware for exfiltrating GHA tokens, and this whole post was to introduce why people should use it.

I met the author 2 PyCon ago. Cool guy. Does a lot of interesting security work for Trail of Bits (I think)

Ah neat! I've used their... I think ... Rust fuzzer, and Algo VPN thing in the past