RT @ThePSF: The PSF has adopted ensuring long-term stability while staying open source and community driven 🎉 Than….

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security.

The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information:.

We're happy to share that we've started a #PyPI Bluesky account 🦋🐍 and we welcome you to follow us if you're over there! We will still continue to share announcements here. #python.

RT @vortex_ape: i'm late to the party but just started using trusted publishing on @pypi and it's such a nice experience!. just create a re….

"In 2023, Google’s Open Source Security Team (GOSST) helped to fund the launch of Trusted Publishing for PyPI and supported the rollout of 2FA enforcement across PyPI" 👏👏👏.

RT @ThePSF: Astral is starting a fund to support open source projects and maintainers 💝 Thank you @astral_sh for your support of open sourc….

RT @ThePSF: Enormous news! the Python Software Foundation now has a 5 year commitment with @fastly to deliver @pypi, .

RT @ThePSF: We’re grateful for @fastly’s #FastForward program. With our Fastly-sponsored CDN, in 2023 @pypi had a 99% cache-hit ratio, aver….

RT @ActiveState: Concerned about the security of your Python packages? 🔒 Gain actionable insights and best practices in our upcoming webina….

RT @ActiveState: 🎉 ActiveState is pleased to announce our inclusion as a Trusted Publisher to PyPI, enabling Python authors to securely pub….

Starting today, PyPI package maintainers can publish via Trusted Publishing from three additional providers:. - @gitlab .- @googlecloud .- @ActiveState . They join @github Actions to support publishing without long-lived passwords or API tokens.

This weekend, we detected & mitigated an account takeover attack affecting several PyPI users. At this time, we have not found evidence of malware or any other malicious activity beyond unauthorized account access. Our incident report has more details.

RT @ThePSF: The PSF is looking for a PyPI Support Specialist to join the team! This is a remote position with 2-4 hours/week overlap with U….

PyPI now has an improved way to report #malware, via #PyPI itself! Available on web and preview beta API. Learn more and sign up to help test: .

Looking back at 2023 @mikefiedler discovered some impressive metrics that we want to share! @fastly #PyPI #pytho

TestPyPI ( now requires 2FA for all users to perform management actions. This comes ahead of January 1, 2024 when the same requirement will be applied to all users of PyPI (. Read more at