Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

PyPI Bolsters Account Security with Expired Domain Checks

2025-08-19
PyPI Bolsters Account Security with Expired Domain Checks

To prevent domain resurrection attacks – a type of supply chain attack where an attacker buys an expired domain to hijack PyPI accounts – PyPI now checks for expired domains. This enhances account security by un-verifying email addresses associated with expired domains; over 1,800 email addresses have been unverified since early June 2025. While not a perfect solution, it significantly mitigates a major attack vector. Users are advised to add a second verified email address for enhanced security.

Read more
(blog.pypi.org)
Development domain resurrection

PyPI Launches Organization Accounts for Enhanced Sustainability

2025-05-13
PyPI Launches Organization Accounts for Enhanced Sustainability

The Python Package Index (PyPI) has introduced organization accounts to improve platform sustainability and user experience. This feature allows teams to create self-managed accounts with exclusive web addresses, simplifying management for large projects and companies handling multiple sub-teams and packages. Community projects can use this for free, while corporate projects incur a small fee. All revenue will be reinvested into improving PyPI's support and infrastructure. This addresses PyPI's growth in downloads and bandwidth, and allows for faster response times. The feature is entirely optional and won't affect existing users.

Read more
(blog.pypi.org)
Development Organization Accounts

PyPI's Project Quarantine: A New Weapon Against Malware

2025-01-05
PyPI's Project Quarantine: A New Weapon Against Malware

The Python Package Index (PyPI) has introduced a 'Project Quarantine' feature to combat the persistent problem of malware. This feature allows PyPI administrators to flag potentially harmful projects, preventing easy installation by users and mitigating harm. Instead of outright deletion, projects are hidden from the simple index, remaining modifiable by owners (but not releasable), with administrators retaining the power to lift quarantine. Future plans include automating quarantine based on multiple credible reports, improving efficiency and shrinking the window of opportunity for malware spread.

Read more
(blog.pypi.org)
Development

Ultralytics Suffers Supply Chain Attack: A PyPI Security Incident Analysis

2024-12-14
Ultralytics Suffers Supply Chain Attack: A PyPI Security Incident Analysis

The Python project Ultralytics recently suffered a supply chain attack. Attackers compromised the project's GitHub Actions workflows and stole a PyPI API token, resulting in tainted versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46. The attack didn't exploit a PyPI vulnerability but targeted the GitHub Actions cache. PyPI, leveraging Trusted Publishing and Sigstore transparency logs, quickly identified and removed the malicious software. The incident highlighted shortcomings in API token and GitHub environment configurations. The article stresses securing software forges and build/publish workflows, providing developers with security recommendations: using Trusted Publishers, locking dependencies, avoiding insecure patterns, and enabling multi-factor authentication.

Read more
(blog.pypi.org)
Development supply chain attack PyPI security software security