Python Package Index

The PSF is looking for a PyPI Sustainability Engineer to join the team! This is a full time, 1-year contract (with the possibility of renewal), globally remote position. If you love #Python, care about open source, and want your work to matter at infrastructure scale–consider applying! Please boost this post and share with your colleagues and networks. #PyPI #Python …thonsoftwarefoundation.applytojob.com/apply/xz5k3X31… …thonsoftwarefoundation.applytojob.com/apply/xz5k3X31…

🔎🔐 #PyPI has completed its second external #security audit! Thanks to Sovereign Tech Agency for funding, @trailofbits for the audit, and @AlphaOmegaOSS for supporting rapid remediation. Find the full report on the Trail of Bits publication page. #Python blog.pypi.org/posts/2026-04-…

PSF Security developers have published incident reports on the LiteLLM & Telnyx #supplychain attacks. Read what happened, who's affected, and what developers & maintainers can do to prepare and protect themselves from future incidents. #security #python blog.pypi.org/posts/2026-04-…

Over the past year (and a half!), our inaugural PyPI Support Specialist, Maria Ashna, helped tackle backlogs, improve support processes, and keep #PyPI running smoothly for the #Python community. Read the full reflection on what that work looked like 👇 blog.pypi.org/posts/2026-01-…

2025 was another eventful year for PyPI! Critical security enhancements, powerful new org features, a better overall user experience, and transparent security incident response 🎉👏 Thank you, PyPI team & community! Learn more on our blog: blog.pypi.org/posts/2025-12-…

🚨 New PyPI blog post TL,DR: - Trusted Publishing used for 25% of all files uploaded in Oct 2025 - @gitlab Self-Managed now in beta - Pending Publishers can be added for Organizations, too! #Python #SupplyChain #Security blog.pypi.org/posts/2025-11-…

PyPI serves billions of requests daily- but sustaining it isn’t free. The PSF joined the OpenSSF & others in calling for organizations to invest in sustainable open infrastructure. Learn what this means for #PyPI, the PSF, & how our community can pitch in: pyfound.blogspot.com/2025/10/open-i…

A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details: blog.pypi.org/posts/2025-09-…

🚨 There is a new ongoing phishing campaign against PyPI users. This campaign uses the same tactics as the previous campaign targeting PyPI users, but with a new domain. Read more about what steps we're taking to protect PyPI users from future campaigns: blog.pypi.org/posts/2025-09-…

The PSF has adopted pypistats.org, ensuring long-term stability while staying open source and community driven 🎉 Thank you to Christopher Flynn, for operating this community service for 6+ years- and for continuing to maintain the project 💪🐍 pyfound.blogspot.com/2025/08/pypist…

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security blog.pypi.org/posts/2025-08-…

The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from ZIP confusion attacks. There is no evidence that this vulnerability has been exploited. Read the blog post for more information: blog.pypi.org/posts/2025-08-…

We're happy to share that we've started a #PyPI Bluesky account 🦋🐍 and we welcome you to follow us if you're over there! We will still continue to share announcements here. bsky.app/profile/pypi.o… #python bsky.app/profile/pypi.o…

i'm late to the party but just started using trusted publishing on @pypi and it's such a nice experience! just create a release.yml on github and add the repo name on the pypi project, that's it! it's so good to not deal with creating api tokens and putting them on github

"In 2023, Google’s Open Source Security Team (GOSST) helped to fund the launch of Trusted Publishing for PyPI and supported the rollout of 2FA enforcement across PyPI" 👏👏👏

Astral is starting a fund to support open source projects and maintainers 💝 Thank you @astral_sh for your support of open source, the PSF, and the #python community, especially @pypi and CPython! x.com/astral_sh/stat…

Enormous news! the Python Software Foundation now has a 5 year commitment with @fastly to deliver @pypi, us.pycon.org, and much more. We appreciate you and your continued investment in the #python community, Fastly! #PyConUS