OnlineDocs.net

Incident Report: Phishing Attack Over the past few days, a phishing attack targeting PyPI users via email was uncovered.Our initial report was posted to raise awareness of the attack,and to provide some initial details on the attack vector. Social media posts linking to the initial report have been shared widely,PyPIContinue Reading

Read the follow-up post: Phishing Attack Follow-Up (Ongoing, preliminary report) PyPI has not been hacked, but users are being targeted by a phishing attackthat attempts to trick them into logging in to a fake PyPI site. Over the past few days, users who have published projects on PyPIwith their emailContinue Reading

A follow-up to the previous post. We have since learned that the campaign was orchestratedby the company that owns the inbox.ru email domain,and not by a malicious third party as we initially suspected. Following the previous post,a representative of the parent company for inbox.ru reached outto PyPI Admins to discussContinue Reading

A recent spam campaign against PyPI has prompted an administrative action,preventing using the inbox.ru email domain.This includes new registrations as well as adding as additional addresses. The campaign created over 250 new user accounts,publishing over 1,500 new projects on PyPI,leading to end-user confusion, abuse of resources, and potential security issues.Continue Reading

On April 14, 2025 security@pypi.org was notified of a potential security concernrelating to privileges granted to a PyPI User via Organization Teams membershippersisting after the User was removed from the PyPI Organization the Team belongs to. We validated the report as a true finding, identified all cases where this scenariohadContinue Reading

We’re introducing a newTerms of Serviceto formalize our relationship to usersand enable us to move forward with providing new features and services,specificallyOrganization Accounts. PyPI has had some form of Terms of Usedocument for users since itbegan accepting uploads in 2005and has only been updated twice1 since.These terms have primarily servedContinue Reading

Support for marking projects as archived has landed on PyPI. Maintainers can nowarchive a project to let users know that the project is not expected to receiveany more updates. This allows users to make better decisions about which packages they depend on,especially regarding supply-chain security, since archived projects clearlysignal thatContinue Reading

Earlier this year, I wrote briefly about new functionality added to PyPI, theability to quarantine projects.This feature allows PyPI administrators to mark a project as potentially harmful,and prevent it from being easily installed by users to prevent further harm. In this post I’ll discuss the implementation, and further improvements toContinue Reading

Last week, the Python project “ultralytics” suffered a supply-chain attack through a compromise of the projects’ GitHub Actions workflows and subsequently its PyPI API token. No security flaw in PyPI was used to execute this attack. Versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46 were affected and have been removed from PyPI.Continue Reading