This weekend, we detected & mitigated an account takeover attack affecting several PyPI users. At this time, we have not found evidence of malware or any other malicious activity beyond unauthorized account access. Our incident report has more details. blog.pypi.org/posts/2024-04-…

Starting today, PyPI package maintainers can publish via Trusted Publishing from three additional providers: - 🦊 GitLab - Google Cloud - ActiveState They join GitHub Actions to support publishing without long-lived passwords or API tokens. blog.pypi.org/posts/2024-04-…

🎉 ActiveState is pleased to announce our inclusion as a Trusted Publisher to PyPI, enabling Python authors to securely publish Python packages directly via ActiveState’s Platform. Become a trusted author today: ow.ly/Z34i50RikiO #ActiveState #TrustedPublisher #PyPI

Concerned about the security of your Python packages? 🔒 Gain actionable insights and best practices in our upcoming webinar on securing @PyPI and open-source ecosystems. Register now to secure your spot: hubs.ly/Q02svkR70 #PyPI #Cybersecurity #OpenSourceSecurity

We’re grateful for Fastly’s #FastForward program. With our Fastly-sponsored CDN, in 2023 Python Package Index had a 99% cache-hit ratio, averaging ~36k requests/sec! Thank you for providing solutions so we can focus on our mission to support the #python community 💙💛 x.com/fastly/status/…

Enormous news! the Python Software Foundation now has a 5 year commitment with Fastly to deliver Python Package Index, us.pycon.org, and much more. We appreciate you and your continued investment in the #python community, Fastly! #PyConUS

Astral is starting a fund to support open source projects and maintainers 💝 Thank you Astral for your support of open source, the PSF, and the #python community, especially Python Package Index and CPython! x.com/astral_sh/stat…

"In 2023, Google’s Open Source Security Team (GOSST) helped to fund the launch of Trusted Publishing for PyPI and supported the rollout of 2FA enforcement across PyPI" 👏👏👏

blog.pypi.org/posts/2024-11-…

i'm late to the party but just started using trusted publishing on Python Package Index and it's such a nice experience! just create a release.yml on github and add the repo name on the pypi project, that's it! it's so good to not deal with creating api tokens and putting them on github

blog.pypi.org/posts/2024-12-…

blog.pypi.org/posts/2025-01-…

We're happy to share that we've started a #PyPI Bluesky account 🦋🐍 and we welcome you to follow us if you're over there! We will still continue to share announcements here. bsky.app/profile/pypi.o… #python bsky.app/profile/pypi.o…

The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information: blog.pypi.org/posts/2025-08-…

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security blog.pypi.org/posts/2025-08-…

The PSF has adopted pypistats.org, ensuring long-term stability while staying open source and community driven 🎉 Thank you to Christopher Flynn, for operating this community service for 6+ years- and for continuing to maintain the project 💪🐍 pyfound.blogspot.com/2025/08/pypist…

🚨 There is a new ongoing phishing campaign against PyPI users. This campaign uses the same tactics as the previous campaign targeting PyPI users, but with a new domain. Read more about what steps we're taking to protect PyPI users from future campaigns: blog.pypi.org/posts/2025-09-…

A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details: blog.pypi.org/posts/2025-09-…

PyPI serves billions of requests daily- but sustaining it isn’t free. The PSF joined the OpenSSF & others in calling for organizations to invest in sustainable open infrastructure. Learn what this means for #PyPI, the PSF, & how our community can pitch in: pyfound.blogspot.com/2025/10/open-i…

🚨 New PyPI blog post TL,DR: - Trusted Publishing used for 25% of all files uploaded in Oct 2025 - 🦊 GitLab Self-Managed now in beta - Pending Publishers can be added for Organizations, too! #Python #SupplyChain #Security blog.pypi.org/posts/2025-11-…