PyPI in 2025: A Year in Review

As 2025 comes to a close, it’s time to look back at another busy year for the Python Package Index. This year, we’ve focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who rely on PyPI every day, and responding to a number of security incidents with transparency.

PyPI and Shai-Hulud: Staying Secure Amid Emerging Threats

An attack on the npm ecosystem continues to evolve, exploiting compromised accounts to publish malicious packages. This campaign, dubbed Shai-Hulud, has targeted large volumes of packages in the JavaScript ecosystem, exfiltrating credentials to further propagate itself.

PyPI has not been exploited, however some PyPI credentials were found exposed in compromised repositories. We’ve revoked these tokens as a precaution, there’s no evidence they have been used maliciously. This post raises awareness about the attack and encourages proactive steps to secure your accounts, especially if you’re using build platforms to publish packages to PyPI.

New Login Verification for TOTP-based Logins

We’ve implemented a new security feature designed to protect PyPI users from phishing attacks: email verification for TOTP-based logins from new devices.

Trusted Publishing is popular, now for GitLab Self-Managed and Organizations

Trusted Publishing has proven popular since its launch in 2023.

Recap: Trusted Publishing enables software build platforms to publish packages to PyPI on your behalf, eliminating the need to manage long-lived authentication tokens. After a one-time setup where you delegate publishing authority to your platform, it automatically obtains short-lived, scoped tokens for each build—no manual token management required.

Read the Security Model for a deeper understanding of how Trusted Publishing works.

Phishing attacks with new domains likely to continue

Unfortunately the string of phishing attacks using domain-confusion and legitimate-looking emails continues. This is the same attack PyPI saw a few months ago and targeting many other open source repositories but with a different domain name. Judging from this, we believe this type of campaign will continue with new domains in the future.

Token Exfiltration Campaign via GitHub Actions Workflows

Summary

I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers.

Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored as GitHub secrets, modifying their workflows to send those tokens to external servers. While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI.

I’ve invalidated all affected tokens and notified the impacted project maintainers. If you’re one of them, I have emailed you from security@pypi.org.

Preventing Domain Resurrection Attacks

Summary

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over PyPI accounts through password resets.

These changes improve PyPI’s overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts.

PyPI now serves project status markers in API responses

PyPI now serves project status markers in its standard index APIs. This allows downstream consumers (like Python package installers and index mirrors) to retrieve project statuses programmatically and use them to inform users when a project is archived or quarantined.

Summary

• PyPI has implemented project status markers as proposed and accepted in PEP 792.
• As of today, PyPI supports three standard statuses: active (the default), archived, and quarantined.
• Downstream consumers can now retrieve these statuses via the standard index APIs and use them to inform users about the state of a project.

See the project archival and project quarantine announcement posts for additional information on PyPI’s implementation of those individual statuses.

Preventing ZIP parser confusion attacks on Python package installers

The Python Package Index is introducing new restrictions to protect Python package installers and inspectors from confusion attacks arising from ZIP parser implementations. This has been done in response to the discovery that the popular installer uv has a different extraction behavior to many Python-based installers that use the ZIP parser implementation provided by the zipfile standard library module.

Summary

• ZIP archives constructed to exploit ZIP confusion attacks are now rejected by PyPI.
• There is no evidence that this vulnerability has been exploited using PyPI.
• PyPI is deprecating wheel distributions with incorrect RECORD files.

Please see this blog post and CVE-2025-54368 for more information on uv’s patch.

Incident Report: Phishing Attack

Over the past few days, a phishing attack targeting PyPI users via email was uncovered. Our initial report was posted to raise awareness of the attack, and to provide some initial details on the attack vector.

Social media posts linking to the initial report have been shared widely, PyPI itself has not been breached with this attack.

Summary

• 4 user accounts were successfully phished, now either disabled or credentials rotated
• 2 API Tokens were generated by the attackers, which have since been revoked
• 2 releases of the num2words project were uploaded by the attacker, which have since been removed
• The phishing domain has been taken down