Unfortunately the string of phishing attacks using domain-confusionand legitimate-looking emails continues. This is the same attack PyPI saw a few…
SummaryI recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI…
SummaryPyPI now checks for expired domains to prevent domain resurrection attacks,a type of supply-chain attack where someone buys an expired…
PyPI now serves project status markers in its standardindex APIs. This allows downstream consumers (like Python package installers andindex mirrors)…
The Python Package Index is introducing new restrictions to protectPython package installers and inspectors from confusion attacks arisingfrom ZIP parser…
Incident Report: Phishing AttackOver the past few days, a phishing attack targeting PyPI users via email was uncovered.Our initial report…
Read the follow-up post: Phishing Attack Follow-Up(Ongoing, preliminary report)PyPI has not been hacked, but users are being targeted by a…
A follow-up to the previous post.We have since learned that the campaign was orchestratedby the company that owns the inbox.ru…
A recent spam campaign against PyPI has prompted an administrative action,preventing using the inbox.ru email domain.This includes new registrations as…
On April 14, 2025 security@pypi.org was notified of a potential security concernrelating to privileges granted to a PyPI User via…
This website uses cookies.