Python Package Index

Over the past year (and a half!), our inaugural PyPI Support Specialist, Maria Ashna, helped tackle backlogs, improve support processes, and keep #PyPI running smoothly for the #Python community.

Read the full reflection on what that work looked like 👇
https://blog.pypi.org/posts/2026-01-26-a-year-and-a-half-as-inaugural-pypi-support-specialist/

2025 was another eventful year for PyPI! Critical security enhancements, powerful new org features, a better overall user experience, and transparent security incident response 🎉👏 Thank you, PyPI team & community!

Learn more on our blog: https://blog.pypi.org/posts/2025-12-31-pypi-2025-in-review/

A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:
https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/

🚨 There is a new ongoing phishing campaign against PyPI users. This campaign uses the same tactics as the previous campaign targeting PyPI users, but with a new domain.

Read more about what steps we're taking to protect PyPI users from future campaigns:
https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security
https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/

The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information:
https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks/

We're happy to share that we've started a #PyPI Bluesky account 🦋🐍 and we welcome you to follow us if you're over there! We will still continue to post and interact here on Mastodon, as well. https://bsky.app/profile/pypi.org #python
https://bsky.app/profile/pypi.org

PyPI package maintainers can now publish via Trusted Publishing from three additional providers:

- GitLab
- Google Cloud
- ActiveState

They join GitHub Actions to support publishing without long-lived passwords or API tokens.

#pypi #python
https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/

PyPI now has an improved way to report #malware, via #PyPI itself! Available on web and preview beta API. Learn more and sign up to help test:

https://blog.pypi.org/posts/2024-03-06-malware-reporting-evolved/

Looking back at 2023 @miketheman@hachyderm.io uncovered some impressive metrics that we want to share! A big thanks to Fastly- And also @awsopen@beta.birdsite.live for making Mike’s job possible! #thankyou #PyPI #python

TestPyPI (http://test.pypi.org) now requires 2FA for all users to perform management actions.

This comes ahead of January 1, 2024 when the same requirement will be applied to all users of PyPI (http://pypi.org).

Read more at https://blog.pypi.org/posts/2023-12-06-2fa-enforcement-on-testpypi/

upload.pypi.org now enforces that users with 2FA enabled must use an API token or Trusted Publisher configuration in place of their passwords.

Read the announcement and details at: https://blog.pypi.org/posts/2023-06-01-2fa-enforcement-for-upload/