Hello there! I am Maria, the inaugural PyPI Support Specialist. I go by "Thespi-Brain" on GitHub. I wanted to provide…
As 2025 comes to a close, it's time to look back at another busy year for the Python Package Index.…
An attack on the npm ecosystem continues to evolve, exploiting compromised accounts to publish malicious packages. This campaign, dubbed Shai-Hulud,…
We've implemented a new security feature designed to protect PyPI users from phishing attacks: email verification for TOTP-based logins from…
Trusted Publishing has proven popular since its launch in 2023. Recap: Trusted Publishing enables software build platforms to publish packages…
Unfortunately the string of phishing attacks using domain-confusionand legitimate-looking emails continues. This is the same attack PyPI saw a few…
SummaryI recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI…
SummaryPyPI now checks for expired domains to prevent domain resurrection attacks,a type of supply-chain attack where someone buys an expired…
PyPI now serves project status markers in its standardindex APIs. This allows downstream consumers (like Python package installers andindex mirrors)…
The Python Package Index is introducing new restrictions to protectPython package installers and inspectors from confusion attacks arisingfrom ZIP parser…
This website uses cookies.