The PyPI Blog

August 14, 2025
5 min read

PyPI now serves project status markers in API responses

PyPI now serves project status markers in its standard index APIs. This allows downstream consumers (like Python package installers and index mirrors) to retrieve project statuses programmatically and use them to inform users when a project is archived or quarantined.

Summary

PyPI has implemented project status markers as proposed and accepted in PEP 792.
As of today, PyPI supports three standard statuses: active (the default), archived, and quarantined.
Downstream consumers can now retrieve these statuses via the standard index APIs and use them to inform users about the state of a project.

See the project archival and project quarantine announcement posts for additional information on PyPI's implementation of those individual statuses.

August 7, 2025
5 min read

Preventing ZIP parser confusion attacks on Python package installers

The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from confusion attacks arising from ZIP parser implementations. This has been done in response to the discovery that the popular installer uv has a different extraction behavior to many Python-based installers that use the ZIP parser implementation provided by the zipfile standard library module.

Summary

ZIP archives constructed to exploit ZIP confusion attacks are now rejected by PyPI.
There is no evidence that this vulnerability has been exploited using PyPI.
PyPI is deprecating wheel distributions with incorrect RECORD files.

Please see this blog post and CVE-2025-54368 for more information on uv's patch.

July 31, 2025
9 min read

Incident Report: Phishing Attack

Over the past few days, a phishing attack targeting PyPI users via email was uncovered. Our initial report was posted to raise awareness of the attack, and to provide some initial details on the attack vector.

Social media posts linking to the initial report have been shared widely, PyPI itself has not been breached with this attack.

Summary

4 user accounts were successfully phished, now either disabled or credentials rotated
2 API Tokens were generated by the attackers, which have since been revoked
2 releases of the num2words project were uploaded by the attacker, which have since been removed
The phishing domain has been taken down

July 28, 2025
2 min read

PyPI Users Email Phishing Attack

Read the follow-up post: Phishing Attack Follow-Up

~~(Ongoing, preliminary report)~~

PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site.

Over the past few days, users who have published projects on PyPI with their email in package metadata may have received an email titled:

[PyPI] Email verification

from the email address noreply@pypj.org.

Note the lowercase j in the domain name, which is not the official PyPI domain, pypi.org.

This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI.

July 25, 2025
1 min read

inbox.ru Domain Prohibition Follow-up

A follow-up to the previous post.

We have since learned that the campaign was orchestrated by the company that owns the inbox.ru email domain, and not by a malicious third party as we initially suspected.

July 15, 2025
2 min read

Prohibiting inbox.ru email domain registrations

A recent spam campaign against PyPI has prompted an administrative action, preventing using the inbox.ru email domain. This includes new registrations as well as adding as additional addresses.

The campaign created over 250 new user accounts, publishing over 1,500 new projects on PyPI, leading to end-user confusion, abuse of resources, and potential security issues.

All relevant projects have been removed from PyPI, and accounts have been disabled.

April 14, 2025
6 min read

Incident Report: Organizations Team privileges

On April 14, 2025 security@pypi.org was notified of a potential security concern relating to privileges granted to a PyPI User via Organization Teams membership persisting after the User was removed from the PyPI Organization the Team belongs to.

We validated the report as a true finding, identified all cases where this scenario had occurred, notified impacted parties, and released a fix. A full audit determined that all instances were accounted for, with no unauthorized actions taken as a result of the issue.

February 25, 2025
1 min read

Introducing our new Terms of Service

We're introducing a new Terms of Service to formalize our relationship to users and enable us to move forward with providing new features and services, specifically Organization Accounts.

January 30, 2025
2 min read

PyPI Now Supports Project Archival

Support for marking projects as archived has landed on PyPI. Maintainers can now archive a project to let users know that the project is not expected to receive any more updates.

This allows users to make better decisions about which packages they depend on, especially regarding supply-chain security, since archived projects clearly signal that no future security fixes or maintenance should be expected.

December 30, 2024
7 min read

Project Quarantine

Earlier this year, I wrote briefly about new functionality added to PyPI, the ability to quarantine projects. This feature allows PyPI administrators to mark a project as potentially harmful, and prevent it from being easily installed by users to prevent further harm.

In this post I'll discuss the implementation, and further improvements to come.