In 2023 PyPI completed its first security audit, and I am proud to announce that we have now completed our second external security audit. This work...

   This post will drill deeper into two recent supply chain exploits, targeting users of popular PyPI packages - litellm & telnyx. We also provide...

   Hello there I am Maria, the inaugural PyPI Support Specialist. I go by Thespi-Brain on GitHub. I wanted to provide a dispatch of how this past year ...

   As 2025 comes to a close, it’s time to look back at another busy year for the Python Package Index. This year, we’ve focused on delivering critical...

   An attack on the npm ecosystem continues to evolve, exploiting compromised accounts to publish malicious packages. This campaign, dubbed Shai-Hulud,...

   We’ve implemented a new security feature designed to protect PyPI users from phishing attacks: email verification for TOTP-based logins from new...

   Trusted Publishing has proven popular since its launch in 2023. Recap: Trusted Publishing enables software build platforms to publish packages to...

   Unfortunately the string of phishing attacks using domain-confusion and legitimate-looking emails continues. This is the same attack PyPI saw a few...

   Summary I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI...

   Summary PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired...

   PyPI now serves project status markers in its standard index APIs. This allows downstream consumers (like Python package installers and index mirrors...

   The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from confusion attacks arising from ZIP...

   Incident Report: Phishing Attack Over the past few days, a phishing attack targeting PyPI users via email was uncovered. Our initial report was...

   Read the follow-up post: Phishing Attack Follow-Up (Ongoing, preliminary report) PyPI has not been hacked, but users are being targeted by a phishing...

   A follow-up to the previous post. We have since learned that the campaign was orchestrated by the company that owns the inbox.ru email domain, and...

   A recent spam campaign against PyPI has prompted an administrative action, preventing using the inbox.ru email domain. This includes new...

   On April 14, 2025 security@pypi.org was notified of a potential...

   We’re introducing a new Terms of Service to formalize our relationship to users and enable us to move forward with providing new features and...

   Support for marking projects as archived has landed on PyPI. Maintainers can now archive a project to let users know that the project is not expected...

   Earlier this year, I wrote briefly about new functionality added to PyPI, the ability to quarantine projects. This feature allows PyPI administrators...