The PyPI Blog
2FA Enforcement for TestPyPI
PyPI requires 2FA for all management actions on TestPyPI.
Incident Report: User Account Takeover
A PyPI user had their account taken over
Security Audit Remediation: cabotage
A deeper dive into the remediation of the security audit findings for the cabotage project.
Security Audit Remediation: Warehouse
A deeper dive into the remediation of the security audit findings for the Warehouse project.
PyPI has completed its first security audit
We are proud to announce PyPI's first external security audit.
Inbound Malware Volume Report
Analysis of inbound malware reporting volume and response times from PyPI administrators.
GitHub now scans public issues for PyPI secrets
GitHub will now scan public repositories' issues for PyPI API tokens, and will notify repository owners when they are found.
2FA Enforcement for New User Registrations
PyPI requires new users to enable 2FA before performing management actions.
PyPI hires a Safety & Security Engineer
Mike Fiedler joins PSF as inaugural PyPI Safety & Security Engineer
Deprecation of bdist_egg uploads to PyPI
PyPI will stop accepting .egg uploads August 1, 2023.
Announcing the launch of PyPI Malware Reporting and Response project
Enforcement of 2FA for upload.pypi.org begins today
PyPI now requires all uploads from accounts with 2FA enabled to use an API token or Trusted Publisher configuration.
Reducing Stored IP Data in PyPI
PyPI has stopped using IP data when possible, and is continuing to reduce the amount of IP data stored overall.
Securing PyPI accounts via Two-Factor Authentication
PyPI will require all users who maintain projects or organizations to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
PyPI was subpoenaed
The PSF received three subpoenas from the US Department of Justice for PyPI user data in March and April of 2023.
Removing PGP from PyPI
PyPI has removed support for uploading PGP signatures with new releases.
Announcing the PyPI Safety & Security Engineer role
PyPI is hiring, thanks to funding from Amazon Web Services!
Introducing PyPI Organizations
Announcing the launch of a significant new collaboration feature for PyPI
Introducing 'Trusted Publishers'
Announcing a new, more secure way to publish to PyPI
Welcome to the PyPI Blog
Announcing the launch of blog.pypi.org