We are lucky to have an engaged community of security researchers that help us keep the Python Package Index (PyPI) safe.
These folks have been instrumental in helping us identify and remove malicious projects from the Index, and we are grateful for their continued support.
Historically, we have asked reporters to email us to report malware per the PyPI Security Policy.
PyPI now has an improved way to report malware, via PyPI itself.
It's January 1st, 2024, and PyPI now requires Two-factor authentication (2FA) for all users.
This post is a recognition of the hard work that went into making this a reality, and a thank you to all the users who have enabled 2FA on their accounts.
It is also a reminder to those who have not yet enabled 2FA, that you will need to do so before you can perform any management actions, or upload files to PyPI.
Once 2FA is enabled, you may perform management actions, including generating API Tokens or setting up Trusted Publishers (preferred) to upload files.
Starting January 1, 2024, all users must enable 2FA for their PyPI accounts.
PyPI has been on the path of being a fully Two-factor Authenticated service a reality, which began in 2019. Read more about some of the steps taken in recent months:
Starting today, all users must enable 2FA before they can perform any management actions on TestPyPI.
This change is in preparation for the scheduled enforcement of 2FA on PyPI at the end of 2023.
A PyPI user's account was taken over and used to remove the user's ownership of 4 projects. This was not a malfunction of PyPI or using any vulnerability, rather the user's account was not sufficiently protected against account takeover.
The attacker added themselves as a collaborator to these projects, and removed the original owner. None of the projects had any modifications made to them other than ownership changes.
This is part three in a three-part series. See part one here, and part two here.
This post is a deeper dive into the remediation of the security audit findings for cabotage - the codebase that deploys PyPI and its supporting services such as conveyor, camo, and inspector.
This is part two in a three-part series. See part one here, and part three here.
This post is a deeper dive into the remediation of the security audit findings for the Warehouse - the main codebase for PyPI.org.
The audit report can be found here. I highly recommend reading that for the fullest context first.
This is part one in a three-part series. See part two here, and part three here
We are proud to announce that PyPI has completed its first ever external security audit. This work was funded in partnership with the Open Technology Fund (OTF), a previous supporter of security-related improvements to PyPI.
The current PyPI security reporting procedure
directs reporters to send an email to security@pypi.org with details.
security@ was previously an email alias for admin@,
a Google Group that contains all current PyPI Administrators (4 people).
Back in 2019 we kicked off efforts to integrate with GitHub secret scanning. Due to the complexity in nature, the completed integration launched in 2021, with the volunteer-led effort by Joachim Jablon (@ewjoachim) and the GitHub team.