🦜 The Python Package Index Blog
@blog.pypi.org@rss-parrot.net
I'm an automated parrot! I relay a website's RSS feed to the Fediverse. Every time a new post appears in the feed, I toot about it. Follow me to get all new posts in your Mastodon timeline!
Brought to you by the RSS Parrot.
---
The official blog of the Python Package Index
Your feed and you don't want it here? Just
e-mail the birb.
Safety & Security Engineer: First Year in Review
https://blog.pypi.org/posts/2024-08-16-safety-and-security-engineer-year-in-review/
Published: August 16, 2024 06:09
Hello reader! It's me, Mike, and it's been just over a year since I postedabout joining the PSFas the Safety & Security Engineer for the Python Package Index (PyPI).I wanted to take a moment to reflect on the past year,and share some of the things I've…
Incident Report: Leaked GitHub Personal Access Token
https://blog.pypi.org/posts/2024-07-08-incident-report-leaked-admin-personal-access-token/
Published: July 8, 2024 06:09
On June 28, 2024 security@python.org and I (Ee Durbin) were notified ofa leaked GitHub Personal Access Token for my GitHub user account, ewdurbin.This token was immediately revoked,and a review of my GitHub account and activity was performed.No indicators…
Prohibiting Outlook email domains
https://blog.pypi.org/posts/2024-06-16-prohibiting-msn-emails/
Published: June 16, 2024 00:00
In response to ongoing mass bot account registrations, Outlook domainsoutlook.com and hotmail.com have been prohibited fromnew associations with PyPI accounts.This includes new registrations as well as adding as additional addresses.If you have been…
Expanding Trusted Publisher Support
https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/
Published: April 17, 2024 06:09
Starting today, PyPI package maintainers can publish via Trusted Publishingfrom three additional providers:GitLab CI/CDGoogle CloudActiveStateThese providers join existing support for publishing from GitHub Actions withoutlong-lived passwords or API…
Malware Distribution and Domain Abuse
https://blog.pypi.org/posts/2024-04-10-domain-abuse/
Published: April 10, 2024 06:09
A package named yocolor was uploaded to PyPIdesigned assist with malware distribution to targets.The package was removed from PyPI, curtailing its potential impact to users.This incident differs from the usual malware package removals,as it involved a…
Incident Report: Unauthorized User Accounts Access
https://blog.pypi.org/posts/2024-04-03-user-account-access/
Published: April 3, 2024 06:09
On Sunday, March 31st, 2024, PyPI Admins received emailsabout unexpected account activity from PyPI users.Users received notifications from PyPI that they hadenrolled in two-factor authentication (2FA).These users claimed that they had not done so…
Announcing a PyPI Support Specialist
https://blog.pypi.org/posts/2024-03-20-announcing-a-pypi-support-specialist/
Published: March 20, 2024 06:09
We launched the Python Package Index (PyPI) in 2003and for most of its historya robust and dedicated volunteer community kept it running.Eventually, we put a bit of PSF staff time into the maintenance of the Index,and last year with support from AWS…
Malware Reporting Evolved
https://blog.pypi.org/posts/2024-03-06-malware-reporting-evolved/
Published: March 6, 2024 06:09
We are lucky to have an engaged community of security researchersthat help us keep the Python Package Index (PyPI) safe.These folks have been instrumental in helping us identify and remove malicious projects from the Index,and we are grateful for their…