RSS Parrot

New Login Verification for TOTP-based Logins

https://blog.pypi.org/posts/2025-11-14-login-verification/

Published: November 14, 2025 06:09

We've implemented a new security feature designed to protect PyPI users from phishing attacks: email verification for TOTP-based logins from new devices. What's Changing? Previously, when logging in with a Time-based One-Time Password (TOTP)…

Trusted Publishing is popular, now for GitLab Self-Managed and Organizations

https://blog.pypi.org/posts/2025-11-10-trusted-publishers-coming-to-orgs/

Published: November 10, 2025 06:09

Trusted Publishing has proven popular since its launch in 2023. Recap: Trusted Publishing enables software build platforms to publish packages to PyPI on your behalf, eliminating the need to manage long-lived authentication tokens. After a one-time setup…

Phishing attacks with new domains likely to continue

https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/

Published: September 23, 2025 06:09

Unfortunately the string of phishing attacks using domain-confusionand legitimate-looking emails continues. This is the same attack PyPI saw a few months agoand targeting many other open source repositoriesbut with a different domain name. Judging from…

Token Exfiltration Campaign via GitHub Actions Workflows

https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/

Published: September 16, 2025 06:09

SummaryI recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens.PyPI was not compromised, and no PyPI packages were published by the attackers.Attackers…

Preventing Domain Resurrection Attacks

https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/

Published: August 18, 2025 06:09

SummaryPyPI now checks for expired domains to prevent domain resurrection attacks,a type of supply-chain attack where someone buys an expired domainand uses it to take over PyPI accounts through password resets.These changes improve PyPI's overall account…

PyPI now serves project status markers in API responses

https://blog.pypi.org/posts/2025-08-14-project-status-markers/

Published: August 14, 2025 06:09

PyPI now serves project status markers in its standardindex APIs. This allows downstream consumers (like Python package installers andindex mirrors) to retrieve project statuses programmatically and use them toinform users when a project is archived or…

Preventing ZIP parser confusion attacks on Python package installers

https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks/

Published: August 7, 2025 06:09

The Python Package Index is introducing new restrictions to protectPython package installers and inspectors from confusion attacks arisingfrom ZIP parser implementations. This has been done in response tothe discovery that the popular installer uv has a…

PyPI Phishing Attack: Incident Report

https://blog.pypi.org/posts/2025-07-31-incident-report-phishing-attack/

Published: July 31, 2025 06:09

Incident Report: Phishing AttackOver the past few days, a phishing attack targeting PyPI users via email was uncovered.Our initial report was posted to raise awareness of the attack,and to provide some initial details on the attack vector.Social media…

PyPI Users Email Phishing Attack

https://blog.pypi.org/posts/2025-07-28-pypi-phishing-attack/

Published: July 28, 2025 06:09

(Ongoing, preliminary report)PyPI has not been hacked, but users are being targeted by a phishing attackthat attempts to trick them into logging in to a fake PyPI site.Over the past few days, users who have published projects on PyPIwith their email in…

inbox.ru Domain Prohibition Follow-up

https://blog.pypi.org/posts/2025-07-25-inbox-ru-follow-up/

Published: July 25, 2025 06:09

A follow-up to the previous post.We have since learned that the campaign was orchestratedby the company that owns the inbox.ru email domain,and not by a malicious third party as we initially suspected.Following the previous post,a representative of the…