RSS Parrot

Incident Report: Organizations Team privileges

https://blog.pypi.org/posts/2025-04-14-incident-report-organization-team-privileges/

Published: April 14, 2025 06:09

On April 14, 2025 security@pypi.org was notified of a potential security concernrelating to privileges granted to a PyPI User via Organization Teams membershippersisting after the User was removed from the PyPI Organization the Team belongs to.We validated…

Introducing our new Terms of Service

https://blog.pypi.org/posts/2025-02-25-terms-of-service/

Published: February 25, 2025 06:09

We're introducing a newTerms of Serviceto formalize our relationship to usersand enable us to move forward with providing new features and services,specificallyOrganization Accounts.PyPI has had some form of Terms of Usedocument for users since itbegan…

PyPI Now Supports Project Archival

https://blog.pypi.org/posts/2025-01-30-archival/

Published: January 30, 2025 06:09

Support for marking projects as archived has landed on PyPI. Maintainers can nowarchive a project to let users know that the project is not expected to receiveany more updates.This allows users to make better decisions about which packages they depend…

Project Quarantine

https://blog.pypi.org/posts/2024-12-30-quarantine/

Published: December 30, 2024 06:09

Earlier this year, I wrote briefly about new functionality added to PyPI, theability to quarantine projects.This feature allows PyPI administrators to mark a project as potentially harmful,and prevent it from being easily installed by users to prevent…

Supply-chain attack analysis: Ultralytics

https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/

Published: December 11, 2024 06:09

Last week, the Python project “ultralytics” suffered a supply-chain attack through a compromise of the projects’ GitHub Actions workflows and subsequently its PyPI API token. No security flaw in PyPI was used to execute this attack. Versions 8.3.41,…

Malware Package Analysis: aiocpa

https://blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis/

Published: November 25, 2024 06:09

On 2024-11-21, PyPI was notified about a malware attack with few details.Upon further investigation, we found that the maintainer was injecting obfuscated codethat will exfiltrate credentials to a specific Telegram bot.The credentials include tokens, API…

PyPI now supports digital attestations

https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/

Published: November 14, 2024 06:09

PyPI package maintainers can now publish signed digital attestations whenpublishing, in order to further increase trust in the supply-chain security oftheir projects. Additionally, a new API is available for consumers andinstallers to verify published…

Safety & Security Engineer: First Year in Review

https://blog.pypi.org/posts/2024-08-16-safety-and-security-engineer-year-in-review/

Published: August 16, 2024 06:09

Hello reader! It's me, Mike, and it's been just over a year since I postedabout joining the PSFas the Safety & Security Engineer for the Python Package Index (PyPI).I wanted to take a moment to reflect on the past year,and share some of the things I've…

Incident Report: Leaked GitHub Personal Access Token

https://blog.pypi.org/posts/2024-07-08-incident-report-leaked-admin-personal-access-token/

Published: July 8, 2024 06:09

On June 28, 2024 security@python.org and I (Ee Durbin) were notified ofa leaked GitHub Personal Access Token for my GitHub user account, ewdurbin.This token was immediately revoked,and a review of my GitHub account and activity was performed.No indicators…

Prohibiting Outlook email domains

https://blog.pypi.org/posts/2024-06-16-prohibiting-msn-emails/

Published: June 16, 2024 00:00

In response to ongoing mass bot account registrations, Outlook domainsoutlook.com and hotmail.com have been prohibited fromnew associations with PyPI accounts.This includes new registrations as well as adding as additional addresses.If you have been…