Python Package Index
@pypi.org
The Python Package Index (PyPI) is the repository of software for the Python programming language. Pronounced 🥧 🫛 👁️
Reposted by Python Package Index
New @pypi.org blog
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
Trusted Publishing is popular, now for GitLab Self-Managed and Organizations - The Python Package Index Blog
Expansion of Trusted Publishers feature for more impact
blog.pypi.org
November 10, 2025 at 8:08 PM
New @pypi.org blog
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
Reposted by Python Package Index
PyPI serves billions of requests daily- but sustaining it isn’t free. The PSF joined the OpenSSF & others in calling for organizations to invest in sustainable open infrastructure. Learn what this means for #PyPI, the PSF, & how our community can pitch in:
Open Infrastructure is Not Free: PyPI, the Python Software Foundation, and Sustainability
In September, the Python Software Foundation (PSF) co-signed the Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship Letter published by the Open Source Security Foundation (OpenSSF) as a steward of the Python Package Index (PyPI). As a follow up, I would like to share a bit more about the concerns expressed in this letter as they relate to our community and the PSF.
pyfound.blogspot.com
October 29, 2025 at 1:11 PM
PyPI serves billions of requests daily- but sustaining it isn’t free. The PSF joined the OpenSSF & others in calling for organizations to invest in sustainable open infrastructure. Learn what this means for #PyPI, the PSF, & how our community can pitch in:
A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:
Token Exfiltration Campaign via GitHub Actions Workflows - The Python Package Index Blog
Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects.
blog.pypi.org
September 26, 2025 at 12:45 PM
A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:
🚨 There is a new ongoing phishing campaign against PyPI users. This campaign uses the same tactics as the previous campaign targeting PyPI users, but with a new domain.
Read more about what steps we're taking to protect PyPI users from future campaigns:
Read more about what steps we're taking to protect PyPI users from future campaigns:
Phishing attacks with new domains likely to continue - The Python Package Index Blog
A new phishing campaign targeting PyPI users using similar tactics to previous campaigns.
blog.pypi.org
September 23, 2025 at 4:25 PM
🚨 There is a new ongoing phishing campaign against PyPI users. This campaign uses the same tactics as the previous campaign targeting PyPI users, but with a new domain.
Read more about what steps we're taking to protect PyPI users from future campaigns:
Read more about what steps we're taking to protect PyPI users from future campaigns:
Reposted by Python Package Index
The PSF has adopted pypistats.org, ensuring long-term stability while staying open source and community driven 🎉 Thank you to Christopher Flynn, for operating this awesome community service for 6+ years- and for continuing to maintain the project 💪🐍 pyfound.blogspot.com/2025/08/pypi...
August 26, 2025 at 1:01 PM
The PSF has adopted pypistats.org, ensuring long-term stability while staying open source and community driven 🎉 Thank you to Christopher Flynn, for operating this awesome community service for 6+ years- and for continuing to maintain the project 💪🐍 pyfound.blogspot.com/2025/08/pypi...
PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security
Preventing Domain Resurrection Attacks - The Python Package Index Blog
PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over PyPI accounts through password resets.
blog.pypi.org
August 18, 2025 at 5:32 PM
PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security
The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information:
Preventing ZIP parser confusion attacks on Python package installers - The Python Package Index Blog
PyPI will begin warning and will later reject wheels that contain differentiable ZIP features or incorrect RECORD files.
blog.pypi.org
August 7, 2025 at 4:17 PM
The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information:
Reposted by Python Package Index
Reposted by Python Package Index
Heads Up, #Python Developers!
There is an active phishing attack targeting PyPI users.
• Threat: Emails from noreply@pypj.org (with a 'j') link to a fake login page.
• Action: Do not click any links. If you already did, change your PyPI password ASAP.
• Note: PyPI itself has not been breached.
There is an active phishing attack targeting PyPI users.
• Threat: Emails from noreply@pypj.org (with a 'j') link to a fake login page.
• Action: Do not click any links. If you already did, change your PyPI password ASAP.
• Note: PyPI itself has not been breached.
July 28, 2025 at 2:35 PM
Heads Up, #Python Developers!
There is an active phishing attack targeting PyPI users.
• Threat: Emails from noreply@pypj.org (with a 'j') link to a fake login page.
• Action: Do not click any links. If you already did, change your PyPI password ASAP.
• Note: PyPI itself has not been breached.
There is an active phishing attack targeting PyPI users.
• Threat: Emails from noreply@pypj.org (with a 'j') link to a fake login page.
• Action: Do not click any links. If you already did, change your PyPI password ASAP.
• Note: PyPI itself has not been breached.
Reposted by Python Package Index
my colleague @darkamaul.bsky.social has a new blog post on the @trailofbits.bsky.social blog about how we worked with @pypi.org's maintainers to slash test times on PyPI by over 80%:
blog.trailofbits.com/2025/05/01/m...
blog.trailofbits.com/2025/05/01/m...
Making PyPI's test suite 81% faster
See how we slashed PyPI’s test suite runtime from 163 to 30 seconds.
The techniques we share can help you dramatically improve your own project’s
testing performance without sacrificing coverage.
blog.trailofbits.com
May 1, 2025 at 2:50 PM
my colleague @darkamaul.bsky.social has a new blog post on the @trailofbits.bsky.social blog about how we worked with @pypi.org's maintainers to slash test times on PyPI by over 80%:
blog.trailofbits.com/2025/05/01/m...
blog.trailofbits.com/2025/05/01/m...
Incident report! Thanks to our community for reporting, we take security seriously and work to address issues like these to suit.
blog.pypi.org/posts/2025-0...
blog.pypi.org/posts/2025-0...
Incident Report: Organizations Team privileges - The Python Package Index Blog
We responded to an incident related to privileges persisting via Organization Teams after Members are removed from Organizations.
blog.pypi.org
April 14, 2025 at 10:12 PM
Incident report! Thanks to our community for reporting, we take security seriously and work to address issues like these to suit.
blog.pypi.org/posts/2025-0...
blog.pypi.org/posts/2025-0...
#PyPI takes security very seriously. If you ever run into malware or a security issue with PyPI itself, make sure to follow our reporting instructions carefully-- and thank you for your vigilance! pypi.org/security/ #python
Security
The Python Package Index (PyPI) is a repository of software for the Python programming language.
pypi.org
February 21, 2025 at 3:51 PM
#PyPI takes security very seriously. If you ever run into malware or a security issue with PyPI itself, make sure to follow our reporting instructions carefully-- and thank you for your vigilance! pypi.org/security/ #python
Keep up to date and subscribe for updates on #PyPI infrastructure status, including requests, edge requests/errors, and traffic via our public dashboard: status.python.org #python
Python Infrastructure Status
Welcome to Python Infrastructure's home for real-time and historical data on system performance.
status.python.org
February 21, 2025 at 12:05 PM
Keep up to date and subscribe for updates on #PyPI infrastructure status, including requests, edge requests/errors, and traffic via our public dashboard: status.python.org #python
Into stats? Find various first and third party #PyPI statistics on our website: pypi.org/stats/ #python
Statistics
The Python Package Index (PyPI) is a repository of software for the Python programming language.
pypi.org
February 20, 2025 at 7:31 PM
Into stats? Find various first and third party #PyPI statistics on our website: pypi.org/stats/ #python
Learn about how to install and distribute #Python packages with the 'Python Packaging User Guide', a collection of tutorials and references, maintained by the Python Packaging Authority: packaging.python.org/ #pypi
Python Packaging User Guide
The Python Packaging User Guide (PyPUG) is a collection of tutorials and guides for packaging Python software.
packaging.python.org
February 20, 2025 at 11:48 AM
Learn about how to install and distribute #Python packages with the 'Python Packaging User Guide', a collection of tutorials and references, maintained by the Python Packaging Authority: packaging.python.org/ #pypi
If you want to get in-depth updates on #PyPI news, updates, and incidents, make sure to regularly read up on our blog: blog.pypi.org/ #python
The Python Package Index Blog
The official blog of the Python Package Index
blog.pypi.org
February 19, 2025 at 4:38 PM
If you want to get in-depth updates on #PyPI news, updates, and incidents, make sure to regularly read up on our blog: blog.pypi.org/ #python
If you've got questions about the basics of #PyPI, your account, integration, project admin, troubleshooting, or what PyPI is all about, make sure to check our FAQ! pypi.org/help/ #python
Help
The Python Package Index (PyPI) is a repository of software for the Python programming language.
pypi.org
February 19, 2025 at 1:13 PM
If you've got questions about the basics of #PyPI, your account, integration, project admin, troubleshooting, or what PyPI is all about, make sure to check our FAQ! pypi.org/help/ #python
@python.org raises and distributes funds to improve #Python's packaging ecosystem, including #PyPI. If your company depends on Python or PyPI, send our sponsorship page to those internal decision makers to help sustain Python for all, for free, forever: www.python.org/sponsors/app...
The official home of the Python Programming Language
www.python.org
February 18, 2025 at 4:46 PM
@python.org raises and distributes funds to improve #Python's packaging ecosystem, including #PyPI. If your company depends on Python or PyPI, send our sponsorship page to those internal decision makers to help sustain Python for all, for free, forever: www.python.org/sponsors/app...
New to #PyPI? It's the home and central repository for #Python packages 🐍🏡 Use pip install to grab your favorite libraries!
Installing Packages - Python Packaging User Guide
It’s important to note that the term “package” in this context is being used to
describe a bundle of software to be installed (i.e. as a synonym for a
distribution). It does not refer to the kind
of package that you import in your Python source code
(i.e. a container of modules). It is common in the Python community to refer to
a distribution using the term “package”. Using
the term “distribution” is often not preferred, because it can easily be
confused with a Linux distribution, or another larger software distribution
like Python itself.
packaging.python.org
February 18, 2025 at 2:37 PM
Welcome to the official #PyPI Bluesky account 🦋🐍 Your trusted source for discovering, installing, and sharing #Python packages. Follow us for updates, security news, and incident reports!
The Python Package Index (PyPI) is a repository of software for the Python programming language.
pypi.org
February 18, 2025 at 11:26 AM
Reposted by Python Package Index
I just went through and archived every project I'm the sole owner of that hasn't had a release in 4 years (although that date isn't special, it just happens to be the "youngest" release; oldest, latest release was over 14 years ago).
January 30, 2025 at 9:03 PM
I just went through and archived every project I'm the sole owner of that hasn't had a release in 4 years (although that date isn't special, it just happens to be the "youngest" release; oldest, latest release was over 14 years ago).
Reposted by Python Package Index
you can now archive projects on @pypi.org!
this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI:
blog.trailofbits.com/2025/01/30/p...
this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI:
blog.trailofbits.com/2025/01/30/p...
PyPI now supports archiving projects
By Facundo Tuesca PyPI now supports marking projects as archived. Project owners can now archive their project to let users know that the project is not expected to receive any more updates. Projec…
blog.trailofbits.com
January 30, 2025 at 3:55 PM
you can now archive projects on @pypi.org!
this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI:
blog.trailofbits.com/2025/01/30/p...
this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI:
blog.trailofbits.com/2025/01/30/p...
PyPI Now Supports Project Archival: blog.pypi.org/posts/2025-0...
PyPI Now Supports Project Archival - The Python Package Index Blog
Projects on PyPI can now be marked as archived.
blog.pypi.org
January 30, 2025 at 2:47 PM
PyPI Now Supports Project Archival: blog.pypi.org/posts/2025-0...
Reposted by Python Package Index
I recently wrote about how I added the ability to quarantine projects under investigation on @pypi.org
Read here: blog.pypi.org/posts/2024-1...
#Python #Packaging #OpenSource #Security #PyPI
Read here: blog.pypi.org/posts/2024-1...
#Python #Packaging #OpenSource #Security #PyPI
Project Quarantine - The Python Package Index Blog
Handling project quarantine lifecycle status for suspected malware
blog.pypi.org
January 2, 2025 at 7:36 PM
I recently wrote about how I added the ability to quarantine projects under investigation on @pypi.org
Read here: blog.pypi.org/posts/2024-1...
#Python #Packaging #OpenSource #Security #PyPI
Read here: blog.pypi.org/posts/2024-1...
#Python #Packaging #OpenSource #Security #PyPI