The PSF is looking for a PyPI Sustainability Engineer to join the team! This is a full time, 1-year contract (with the possibility of renewal), globally remote position. If you love #Python, care about open source, and want your work to matter at infrastructure scale–consider applying! #PyPI #Python
🔎🔐 PyPI has completed its second external #security audit! Thanks to @sovereign.tech for funding, Trail of Bits for the audit, and Alpha-Omega for supporting rapid remediation. Find the full report on the Trail of Bits publication page. #Python #PyPI
PSF Security developers have published incident reports on the LiteLLM & Telnyx #supplychain attacks. Read what happened, who's affected, and what developers & maintainers can do to prepare and protect themselves from future incidents. #security #python
Huge thanks to @fastly.com for 10+ years of keeping #PyPI up and running! PyPI serves 800K+ users at ~100K requests/sec. With a small team behind the service, that kind of scale is only possible because of infrastructure partners who invest in the sustainability of the #Python ecosystem.
Over the past year (and a half!), our inaugural PyPI Support Specialist, Maria Ashna, helped tackle backlogs, improve support processes, and keep #PyPI running smoothly for the #Python community.
Read the full reflection on what that work looked like 👇
blog.pypi.org/posts/2026-0...
Proud to support the Python Software Foundation (@python.org) as a Fast Forward member!
PyPI’s 2025 Year in Review shows the scale of the Python ecosystem:
• 3.9M+ new files
• 130K+ new projects
Honored to help power infrastructure behind the global Python community. blog.pypi.org/posts/2025-1...
Infographic of PyPI statistics, with a yellow background, blue and grey text, and blue rectangles to highlight each statistic. Title states "PyPI in 2025". Underneath are 5 statistics: 3.9 million+ new files published 130,000+ new projects created 1.92 exabytes of total data transferred 2.56 trillion total requests served 81,000 requests per second on average At the bottom is the PyPI logo, "Python package index" with blocks in the shape of the Python logo.
2025 was another eventful year for PyPI! Critical security enhancements, powerful new org features, a better overall user experience, and transparent security incident response 🎉👏 Thank you, PyPI team & community!
Learn more on our blog: blog.pypi.org/posts/2025-1...
New @pypi.org blog
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
PyPI serves billions of requests daily- but sustaining it isn’t free. The PSF joined the OpenSSF & others in calling for organizations to invest in sustainable open infrastructure. Learn what this means for #PyPI, the PSF, & how our community can pitch in:
A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:
🚨 There is a new ongoing phishing campaign against PyPI users. This campaign uses the same tactics as the previous campaign targeting PyPI users, but with a new domain.
Read more about what steps we're taking to protect PyPI users from future campaigns:
The PSF has adopted pypistats.org, ensuring long-term stability while staying open source and community driven 🎉 Thank you to Christopher Flynn, for operating this awesome community service for 6+ years- and for continuing to maintain the project 💪🐍 pyfound.blogspot.com/2025/08/pypi...
PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security
The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information:
Heads Up, #Python Developers!
There is an active phishing attack targeting PyPI users.
• Threat: Emails from noreply@pypj.org (with a 'j') link to a fake login page.
• Action: Do not click any links. If you already did, change your PyPI password ASAP.
• Note: PyPI itself has not been breached.
my colleague @darkamaul.bsky.social has a new blog post on the @trailofbits.bsky.social blog about how we worked with @pypi.org's maintainers to slash test times on PyPI by over 80%:
blog.trailofbits.com/2025/05/01/m...
This wasn’t just blather! bsky.app/profile/pypi...
Incident report! Thanks to our community for reporting, we take security seriously and work to address issues like these to suit.
blog.pypi.org/posts/2025-0...
#PyPI takes security very seriously. If you ever run into malware or a security issue with PyPI itself, make sure to follow our reporting instructions carefully-- and thank you for your vigilance! pypi.org/security/ #python
Keep up to date and subscribe for updates on #PyPI infrastructure status, including requests, edge requests/errors, and traffic via our public dashboard: status.python.org #python
Into stats? Find various first and third party #PyPI statistics on our website: pypi.org/stats/ #python
Learn about how to install and distribute #Python packages with the 'Python Packaging User Guide', a collection of tutorials and references, maintained by the Python Packaging Authority: packaging.python.org/ #pypi
If you want to get in-depth updates on #PyPI news, updates, and incidents, make sure to regularly read up on our blog: blog.pypi.org/ #python
If you've got questions about the basics of #PyPI, your account, integration, project admin, troubleshooting, or what PyPI is all about, make sure to check our FAQ! pypi.org/help/ #python
@python.org raises and distributes funds to improve #Python's packaging ecosystem, including #PyPI. If your company depends on Python or PyPI, send our sponsorship page to those internal decision makers to help sustain Python for all, for free, forever: www.python.org/sponsors/app...
New to #PyPI? It's the home and central repository for #Python packages 🐍🏡 Use pip install to grab your favorite libraries!
Welcome to the official #PyPI Bluesky account 🦋🐍 Your trusted source for discovering, installing, and sharing #Python packages. Follow us for updates, security news, and incident reports!
I just went through and archived every project I'm the sole owner of that hasn't had a release in 4 years (although that date isn't special, it just happens to be the "youngest" release; oldest, latest release was over 14 years ago).
