Unfortunately the string of phishing attacks using domain-confusionand legitimate-looking emails continues. This is the same attack PyPI saw a few months agoand targeting many other open source repositoriesbut with a different domain name. Judging from this, we believe this type of campaign will continuewith new domains in the future. InContinue Reading
Summary I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens.PyPI was not compromised, and no PyPI packages were published by the attackers. Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored asContinue Reading
Summary PyPI now checks for expired domains to prevent domain resurrection attacks,a type of supply-chain attack where someone buys an expired domainand uses it to take over PyPI accounts through password resets. These changes improve PyPI’s overall account security posture,making it harder for attackers to exploit expired domain namesto gainContinue Reading
PyPI now serves project status markers in its standardindex APIs. This allows downstream consumers (like Python package installers andindex mirrors) to retrieve project statuses programmatically and use them toinform users when a project is archived or quarantined. Summary PyPI has implemented project status markers as proposed and accepted in PEPContinue Reading
The Python Package Index is introducing new restrictions to protectPython package installers and inspectors from confusion attacks arisingfrom ZIP parser implementations. This has been done in response tothe discovery that the popular installer uv has a different extraction behaviorto many Python-based installers that use the ZIP parser implementationprovided by theContinue Reading
Incident Report: Phishing Attack Over the past few days, a phishing attack targeting PyPI users via email was uncovered.Our initial report was posted to raise awareness of the attack,and to provide some initial details on the attack vector. Social media posts linking to the initial report have been shared widely,PyPIContinue Reading
Read the follow-up post: Phishing Attack Follow-Up (Ongoing, preliminary report) PyPI has not been hacked, but users are being targeted by a phishing attackthat attempts to trick them into logging in to a fake PyPI site. Over the past few days, users who have published projects on PyPIwith their emailContinue Reading
A follow-up to the previous post. We have since learned that the campaign was orchestratedby the company that owns the inbox.ru email domain,and not by a malicious third party as we initially suspected. Following the previous post,a representative of the parent company for inbox.ru reached outto PyPI Admins to discussContinue Reading
A recent spam campaign against PyPI has prompted an administrative action,preventing using the inbox.ru email domain.This includes new registrations as well as adding as additional addresses. The campaign created over 250 new user accounts,publishing over 1,500 new projects on PyPI,leading to end-user confusion, abuse of resources, and potential security issues.Continue Reading
On April 14, 2025 security@pypi.org was notified of a potential security concernrelating to privileges granted to a PyPI User via Organization Teams membershippersisting after the User was removed from the PyPI Organization the Team belongs to. We validated the report as a true finding, identified all cases where this scenariohadContinue Reading