Ee Durbin

April 14, 2025
6 min read

Incident Report: Organizations Team privileges

On April 14, 2025 security@pypi.org was notified of a potential security concern relating to privileges granted to a PyPI User via Organization Teams membership persisting after the User was removed from the PyPI Organization the Team belongs to.

We validated the report as a true finding, identified all cases where this scenario had occurred, notified impacted parties, and released a fix. A full audit determined that all instances were accounted for, with no unauthorized actions taken as a result of the issue.

February 25, 2025
1 min read

Introducing our new Terms of Service

We're introducing a new Terms of Service to formalize our relationship to users and enable us to move forward with providing new features and services, specifically Organization Accounts.

July 8, 2024
5 min read

Incident Report: Leaked GitHub Personal Access Token

On June 28, 2024 security@pypi.org and I (Ee Durbin) were notified of a leaked GitHub Personal Access Token for my GitHub user account, ewdurbin. This token was immediately revoked, and a review of my GitHub account and activity was performed. No indicators of malicious activity were found.

June 16, 2024
2 min read

Prohibiting Outlook email domains

In response to ongoing mass bot account registrations, Outlook domains outlook.com and hotmail.com have been prohibited from new associations with PyPI accounts. This includes new registrations as well as adding as additional addresses.

November 14, 2023
7 min read

Security Audit Remediation: cabotage

This is part three in a three-part series. See part one here, and part two here.

This post is a deeper dive into the remediation of the security audit findings for cabotage - the codebase that deploys PyPI and its supporting services such as conveyor, camo, and inspector.

June 26, 2023
1 min read

Deprecation of bdist_egg uploads to PyPI

PEP 715, deprecating bdist_egg/.egg uploads to PyPI has been accepted. We'll begin the process of implementing this today.

Please note that this does NOT remove any existing uploaded eggs from PyPI.

June 1, 2023
1 min read

Enforcement of 2FA for upload.pypi.org begins today

Beginning today, all uploads from user accounts with 2FA enabled will be required to use an API Token or Trusted Publisher configuration in place of their password.

May 24, 2023
5 min read

PyPI was subpoenaed

In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data. All three subpoenas were issued by the United States Department of Justice. The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested.

May 9, 2023
2 min read

Announcing the PyPI Safety & Security Engineer role

We are pleased to announce Amazon Web Services (AWS) as the inaugural Security Sponsor for PyPI, investing $144,000 over one year to fund key enhancements to PyPI infrastructure and operations, including the creation of a new “PyPI Safety & Security Engineer” role.

April 23, 2023
3 min read

Introducing PyPI Organizations

Today, we are rolling out the first step in our plan to build financial support and long-term sustainability of the Python Packaging Index (PyPI), while simultaneously giving our users one of our most requested features: organization accounts.