MB
Mateusz Bełczowski
I'm a Python developer with over 10 years of experience building web applications and APIs. I co-organize PyGDA, a local Python meetup in Poland, and have experience as a Python trainer. In recent years, I've developed a growing interest in web application security and DevSecOps. When I'm not coding, you'll find me playing table tennis or chess.
What's in your dependencies? Supply chain attacks on Python projects
Talk
Your Django project doesn't just depend on Django - it depends on dozens, sometimes hundreds, of packages. Each one is code that runs with your privileges. What happens when one of them gets compromised?
This isn't theoretical. Attackers have phished maintainers to publish malicious versions of trusted packages. They've exploited CI/CD pipelines to inject crypto miners into popular libraries. They've registered typosquatted package names and waited for developers to mistype.
This talk examines how these attacks work and what you can do about them.
We'll look at real incidents to understand the attack patterns - how attackers get in, what payloads they deploy, and how compromises get detected. And we'll build a practical defense toolkit: scanning for known vulnerabilities, evaluating new dependencies before installing them, and hardening your workflow against supply chain attacks.
The talk is aimed at Django developers who want to understand the threat landscape and leave with concrete steps they can implement immediately. No security background required - just familiarity with pip and the general shape of a Django project.