We launched the Python Package Index (PyPI) in 2003 and for most of its history a robust and dedicated volunteer community kept it running. Eventually, we put a bit of PSF staff time into the maintenance of the Index, and last year with support from AWS we hired Mike Fiedler to work full-time on PyPI’s urgent security needs.
We are lucky to have an engaged community of security researchers that help us keep the Python Package Index (PyPI) safe.
These folks have been instrumental in helping us identify and remove malicious projects from the Index, and we are grateful for their continued support.
Historically, we have asked reporters to email us to report malware per the PyPI Security Policy.
PyPI now has an improved way to report malware, via PyPI itself.
It's January 1st, 2024, and PyPI now requires Two-factor authentication (2FA) for all users.
This post is a recognition of the hard work that went into making this a reality, and a thank you to all the users who have enabled 2FA on their accounts.
It is also a reminder to those who have not yet enabled 2FA, that you will need to do so before you can perform any management actions, or upload files to PyPI.
Once 2FA is enabled, you may perform management actions, including generating API Tokens or setting up Trusted Publishers (preferred) to upload files.