PyPI in 2025: A Year in Review
As 2025 comes to a close, it’s time to look back at another busy year for the Python Package Index. This year, we’ve focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who rely on PyPIContinue Reading
Y25 Cycle 6 Engineering Progress Report
Providing insight into our product roadmap and, subsequently, the projects being worked on in our six-week cycles. Cycle Y25C6 ran from late September through early November 2025. This cycle focused heavily on quality assurance, user experience improvements, and preparing major features for public release. Cycle Six In Review ThisContinue Reading
Development Cycle Six
Providing insight into our product roadmap and, subsequently, the projects being worked on in our six-week cycles. We’ve been working hard and are excited to share a summary of the projects completed during Cycle Six. Cycle Six In Review This cycle focused heavily on quality assurance, user experience improvements,Continue Reading
Independent Collectives are becoming Organizations
TL;DR: Independent Collectives are being converted to Organizations to make the platform more consistent. There is no change in functionality. From its beginning in 2017, the platform was built around three main types of accounts: Individuals, Collectives, and Organizations. Over time we expanded what these accounts could do and introducedContinue Reading
PyPI and Shai-Hulud: Staying Secure Amid Emerging Threats
An attack on the npm ecosystem continues to evolve, exploiting compromised accounts to publish malicious packages. This campaign, dubbed Shai-Hulud, has targeted large volumes of packages in the JavaScript ecosystem, exfiltrating credentials to further propagate itself. PyPI has not been exploited, however some PyPI credentials were found exposed in compromisedContinue Reading
New Login Verification for TOTP-based Logins
We’ve implemented a new security feature designed to protect PyPI users from phishing attacks: email verification for TOTP-based logins from new devices. What’s Changing? Previously, when logging in with a Time-based One-Time Password (TOTP) authenticator, a successful TOTP code was sufficient. Now, if you log in from a device orContinue Reading
Trusted Publishing is popular, now for GitLab Self-Managed and Organizations
Trusted Publishing has proven popular since its launch in 2023. Recap: Trusted Publishing enables software build platforms to publish packages to PyPI on your behalf, eliminating the need to manage long-lived authentication tokens. After a one-time setup where you delegate publishing authority to your platform, it automatically obtains short-lived, scopedContinue Reading
New Expense Submission flow 🎉
We are pleased to announce the release of the new Expense Submission flow! 🎉 We’ve done a lot to increase the odds that your expenses are submitted correctly, pass the essential checks from Collectives and Fiscal Hosts, and are paid promptly. Hundreds of users have been trialing the new flow,Continue Reading
Signature Verification: How to Verify a Digital Signature Online
Digital signatures add another layer of security to your online transactions and communications. But how can you know they’re real? We’ll walk you through how to verify a digital signature online in several popular systems and email clients Digital signatures, unlike electronic signatures, can be cryptographically proven. This enables recipientsContinue Reading
Phishing attacks with new domains likely to continue
Unfortunately the string of phishing attacks using domain-confusionand legitimate-looking emails continues. This is the same attack PyPI saw a few months agoand targeting many other open source repositoriesbut with a different domain name. Judging from this, we believe this type of campaign will continuewith new domains in the future. InContinue Reading