Mike Fiedler

Mike is a professional engineer with over three decades of experience, having held senior leadership roles at companies including Datadog, MongoDB, LeafLink, Warby Parker, and Paribus (Capital One). He is dedicated to continuous learning and mentoring.

He is a recognized contributor to the tech community, having been a conference speaker since 2012. His accolades include the Awesome Community Chef Award (2016) and being an AWS Container Hero since 2018.

Currently working as the PyPI Safety & Security Engineer at the Python Software Foundation, he devotes his free time to working on open source tools, learning new technologies, and volunteering as a roller derby referee. With a holistic view of systems and software and a passion for problem-solving, Mike helps others navigate the complexities of the tech world.

He can be found on Mastodon, GitHub, and elsewhere online, or wearing stripes at a roller derby game near you.


Sessions

07-15
13:50
60min
Security and Ethics in the Age of Generative AI
Sylwia Budzynska, Maria Lowas-Rzechonek, Mike Fiedler, Seth Michael Larson, Julien Lenormand, Maria Jose Molina-Contreras

This panel brings together experts from different corners of the field to talk about how generative AI is changing cybersecurity and the tricky challenges that come with it. Not only will we explore the technical aspects, but also the ethical considerations our society must have with in this rapidly evolving landscape.

We're not treating this as just a technical conversation. Generative AI in cybersecurity touches code, strategy, and ethics all at once, and we want to dig into all three. By the end of the panel, you should walk away with a clearer sense of the real risks at the language and ecosystem level, some practical lessons from teams working security operations day to day, and a more grounded take on the ethical questions this technology raises.

S3A
07-16
14:30
30min
Anatomy of a Phishing Campaign
Mike Fiedler

In July 2025, PyPI users received emails directing them to pypj.org—a near-perfect clone transparently proxying requests to pypi.org. Within hours, attackers compromised four accounts and uploaded malicious releases of the popular num2words package.

This talk dissects the complete attack chain: how attackers harvested email addresses from public package metadata, built a transparent proxy that relayed TOTP codes in real-time, and why traditional 2FA failed while WebAuthn-based authentication stopped the attack cold.

The session covers the incident response timeline, challenges getting malicious infrastructure taken down (including initial rejection of abuse reports), and defensive measures deployed afterward—including new email verification for TOTP logins from unrecognized devices.

Attendees will learn exactly how modern phishing attacks work against package repositories, the critical difference between "phishable" and "phishing-resistant" 2FA, and practical steps to protect accounts and packages from the next campaign. The talk also examines the September 2025 follow-up campaign targeting pypi-mirror.org and patterns across these ongoing attacks.

Testing, Quality Assurance, Security
S1