2026

April 16, 2026
6 min read

PyPI has completed its second audit

In 2023 PyPI completed its first security audit, and I am proud to announce that we have now completed our second external security audit.

This work was funded by the Sovereign Tech Agency, a supporter of Open Source security-related improvements, partnering with Trail of Bits to perform the audit. Thanks to ongoing support from Alpha-Omega, my role at the PSF enabled me to focus on rapid remediation of the findings.

This time around, there's no three-part series, as the scope was narrower, focused only on PyPI's codebase and behaviors. Read on for a summary of issues identified, their resolutions, and more details about the audit process.

April 2, 2026
7 min read

Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance

This post will drill deeper into two recent supply chain exploits, targeting users of popular PyPI packages - litellm & telnyx. We also provide Python developers and maintainers with guidance on what they can do to prepare and protect themselves from future incidents.

January 26, 2026
2 min read

Dispatch from PyPI Land: A Year (and a Half!) as the Inaugural PyPI Support Specialist

Hello there! I am Maria, the inaugural PyPI Support Specialist. I go by "Thespi-Brain" on GitHub. I wanted to provide a dispatch of how this past year (and a half!) has been regarding my role and PyPI. PyPI has now reached over a million users and has over 700,000 projects. It is, without a doubt, a critical part of the Python ecosystem. As the inaugural PyPI Support Specialist, there were numerous challenges that needed to be tackled regarding PyPI support, such as the ever growing backlog of account recovery and PEP 541 issues.