The Python Package Index (PyPI) is the repository of software for the Python programming language. Pronounced 🥧 🫛 👁️
The Cloud
- Tweets 380
- Following 10
- Followers 23,243
- Likes 82
Python 3.11 delivers.
ALT Chart showing many traces with title "Web (Unicorn) Service CPU Usage". An obvious drop across all traces is visible about halfway through, showing approximately a halving of CPU usage.
26
446
2,336
Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.
We’re publishing the details here to raise awareness of what is likely an ongoing threat.
13
453
704
We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them.
To ensure that these maintainers can use strong 2FA methods, we're also distributing 4000 hardware security keys!
pypi.org/security-key-giveaw…
14
185
620
Incident report on malicious takeover of ctx package on PyPI has been published.
Read details, mitigation, analysis, and more at python-security.readthedocs.…
7
110
192
Welcome to the home of pypi.org on twitter!
You can follow here for announcements about the package index as well as interesting things going on in the Python packaging ecosystem.
96
169
New user and new project registrations on PyPI are temporarily suspended.
See details at status.python.org/incidents/…
4
51
149
87,965
We are proud to announce that we have completed PyPI's first external security audit.
blog.pypi.org/posts/2023-11-…
1
31
153
22,771
PyPI will no longer accept passwords that have been published in data breaches.
For background you can take a look at github.com/pypa/warehouse/pu….
For high level overview see pypi.org/help/#compromised-p…
Finally if you have any trouble, please file an issue at github.com/pypa/warehouse/is…
1
78
148
In total PyPI served 324.1 petabytes in 2021, that's an average bandwidth of 82.2 Gbps for the entire year.
We and the entire Python community owe @fastly immense gratitude for providing this CDN service, their support makes PyPI as you know it possible.
4
22
133
We’re very glad you’re here.
blog.pypi.org/posts/2023-03-…
5
36
126
44,052
Thank you @IBMDeveloper for supporting PyPI. Through sponsorships and grants, @thePSF raised over $300,000 for PyPI’s use. Let’s keep that momentum going! python.org/sponsors/applicat…
6
20
120
The answer is:
One hundred twenty-six billion five hundred forty-five million seven hundred seventy thousand and sixty-six downloads accounted for in 2021.
126,545,477,066
Thanks @googlecloud BigQuery for making it possible for us to track this scale. packaging.python.org/en/late…
Without phoning a friend (or querying the world wide web)...
How many downloads do you think PyPI served in 2021?
7
30
109
The PSF was subpoenaed for the first time in March/April 2023 for for PyPI user data.
Read our transparency blog post here: blog.pypi.org/posts/2023-05-…
4
47
104
55,328
With one week left in our security key giveaway, we've decided to open up eligibility to any existing PyPI user.
Get yours while supplies last, and before the giveaway ends when the codes expire on Oct 1st.
pypi.org/security-key-giveaw…
10
65
98
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.
blog.pypi.org/posts/2023-04-…
2
29
97
29,068
We want to thank @ryotkak for identifying and responsibly disclosing three PyPI security vulnerabilities per pypi.org/security/.
You can read our analysis and mitigation here:
1️⃣ python-security.readthedocs.…
2️⃣ python-security.readthedocs.…
3️⃣ python-security.readthedocs.…
1
24
82
Thanks to @Ewjoachim, we are now integrated with the @github Secret Scanning service.
When users make a mistake and publish PyPI API tokens to GitHub they will automatically be revoked with notification.
You can read more at docs.github.com/en/code-secu… and pypi.org/help/#compromised-t…
28
88
An important update on our efforts to secure PyPI with multi-factor authentication: blog.pypi.org/posts/2023-05-…
28
90
32,578
The PSF conducted three surveys to gather community requirements that would drive future development. The feedback summary is available on @ThePSF's blog:
pyfound.blogspot.com/2021/12…
1
28
88
Today, we are rolling out the first step in our plan to build financial support and long-term sustainability, while simultaneously giving our users one of our most requested features: organization accounts.
blog.pypi.org/posts/2023-04-…
5
35
80
14,485
We are seeking some additional quick feedback after an initial round of outreach to teams using PyPI! If you use PyPI as a team, please respond to the poll linked from discuss.python.org/t/pypi-fu…
2
39
74
We have additionally determined that some maintainers of legitimate projects have been compromised, and malware published as the latest release for those projects.
These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen.
2
26
74
Our CDN is currently experiencing a major outage, we've confirmed that our backends are up and healthy, and will update when we have more information.
10
21
77
Background: the phishing message claims that there is a mandatory ‘validation’ process being implemented, and invites users to follow a link to validate a package, or otherwise risk the package being removed from PyPI.
4
18
66
PEP 658 has finally landed on PyPI!
Wheels uploaded as of about 15 minutes ago now have the appropriate information served from the simple APIs, and METADATA files available on files.pythonhosted.org.
2
15
70
31,562
Thanks to @awscloud, @ThePSF is hiring for a Safety and Security Engineer focused on PyPI!
Read about how the role will be funded, what will be worked on, and how to apply at blog.pypi.org/posts/2023-05-…
29
68
27,457
Without phoning a friend (or querying the world wide web)...
How many downloads do you think PyPI served in 2021?
19
9
63
Note that PyPI will NEVER remove a valid project from the index. PyPI only removes projects which violate our TOS or are in some way determined to be harmful (e.g., malware).
1
5
63
We're grateful that @fastly has served PyPI with free services since May 2013 and are excited to be part of their new initiative Fast Forward ⏩ which aims to empower everyone to build the good, open internet.
Read more here: fastly.com/blog/fast-forward…
📣Announcing Fast Forward ⏩
the next phase in our commitment to making the internet a better place.
🧵
4
19
59
Second question! How much bandwidth does it take to serve 126,545,477,066 downloads in a year?
The answer is:
One hundred twenty-six billion five hundred forty-five million seven hundred seventy thousand and sixty-six downloads accounted for in 2021.
126,545,477,066
Thanks @googlecloud BigQuery for making it possible for us to track this scale. packaging.python.org/en/late…
8
12
56
We truly appreciate @Google for demonstrating their support of PyPI by becoming a Visionary sponsor this year. Their generosity ensures that we can improve and sustain PyPI for many generations to come.
8
60
In light of yesterday’s phishing attack, we have updated the eligibility requirements for our security key giveaway.
Any maintainer of a critical project, regardless of whether they already have TOTP-based 2FA enabled, is now eligible:
pypi.org/security-key-giveaw…
3
25
59
We want to hear from companies and community projects using PyPI as a team!
If your team wants to contribute to helping us set a course for new features, read discuss.python.org/t/pypi-us… and register your interest!
6
26
50
We’ve been behind @fastly for ten and a half years! Thanks for a decade of support and for having us at #altitude2023!
mail.python.org/pipermail/di…
12
58
30,117
The link takes the user to a phishing site mimicking PyPI’s login page, which steals any credentials entered.
We are unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes. Accounts protected by hardware security keys are not vulnerable.
2
8
49
We've published an incident report for the JSON API redirect loop outage today: status.python.org/incidents/…
We understand the frustration, but are excited that on the other side of this outage PyPI is more cachable, performant, and reliable; dropping ~25rps from our backends.
3
7
48
upload.pypi.org now enforces that users with 2FA enabled must use an API token or Trusted Publisher configuration in place of their passwords.
Read the announcement and details at: blog.pypi.org/posts/2023-06-…
1
23
51
22,166
2FA has launched for the PyPI web interface! Read more about the feature and what we have coming soon at pyfound.blogspot.com/2019/05…
2
24
44
The malicious releases follow a similar pattern, again using linkedopports[dot]com. At this time, the malicious releases that we are aware of are:
- exotel==0.1.6
- spam==2.0.2 and ==4.0.2
We’ve additionally taken down several hundred typosquats that fit the same pattern.
4
9
44
Happy Friday!
It has been a busy week on our blog, but we're wrapping it up with an update on some of the work that's been going on in the background lately to ensure the privacy and security of PyPI users:
blog.pypi.org/posts/2023-05-…
2
12
47
24,007
🔉 Python for your ears alert!
Our PyPI Safety & Security Engineer @mikefiedler sat down with @@mkennedy
last month for a fun conversation on the Talk Python podcast.
Listen in to what he had to say at bit.ly/46HEF4t or wherever you get your podcasts :)
3
16
45
20,743
Just one day left to apply for the posted PyPI Safety and Security Engineer role!
Read our post announcing it at: blog.pypi.org/posts/2023-05-…
Apply here: jobs.pyfound.org/apply/CKEON…
13
38
25,090
PyPI has now supports internationalization thanks to @OpenTechFund!
We’re ready for translations to begin at hosted.weblate.org/projects/… and appreciate @WeblateOrg for providing their service.
Run into issues or have questions, head over to
github.com/pypa/warehouse/is… and let us know.
1
21
41
Finally, if you believe you’ve received a phishing email, please contact security@pypi.org with details about the sender email address and URL of the malicious site to help us respond to this issue.
And thanks to everyone who reported this attempt!
1
5
38
In order to prevent phishing attacks from succeeding, enable 2FA, ideally using hardware security keys or WebAuthn two-factor authentication: pypi.org/2fa/
PyPI is currently offering free hardware keys for maintainers of the top 1% of projects: pypi.org/security-key-giveaw…
1
4
35
We are looking for PyPI users who can participate in user interviews as we develop new features. More details at discuss.python.org/t/pypi-or…
1
34
38
We are grateful for @anacondainc's support of PyPI as a Contributing sponsor of @thePSF. Sponsorship funds not only help us maintain what we have but will also help us with future improvements!
3
7
40
PyPI now supports uploading via API token. Thanks to @OpenTechFund for supporting this work!
pyfound.blogspot.com/2019/07…
19
38
Who's eligible?
Project eligibility is based on downloads: any project in the top 1% of downloads over the prior 6 months is designated as critical (as well as PyPI's own dependencies).
Today, we’ve notified maintainers of those projects via email. But that's not all!
1
6
38
We truly appreciate @Google for demonstrating their support of PyPI by becoming a Visionary sponsor. Their generosity ensures that we can improve and sustain PyPI for many generations to come!
3
36
PS: If you're trying to redeem your code and getting 'Promo code doesn't apply', increase your quantity in the cart from 1 key to 2 keys!
Our intention is for everyone to be able to have a secondary backup key in addition to their primary key.
1
6
35
How to protect yourself: If you believe you may have entered credentials on a phishing site:
- reset your password
- reset your 2FA recovery codes
- review pypi.org/manage/account/#api… and pypi.org/manage/account/#acc… for suspicious activity
1
8
31
What we’re doing: We’re actively reviewing reports of new malicious releases, and ensuring that they are removed and the maintainer accounts restored. We’re also working to provide security features like 2FA more prevalent across projects on PyPI.
3
2
29
PyPI now has an improved way to report #malware, via #PyPI itself! Available on web and preview beta API. Learn more and sign up to help test:
blog.pypi.org/posts/2024-03-…
5
13
34
16,959
Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users.
You can track our progress on our dashboard:
p.datadoghq.com/sb/7dc8b3250…
1
5
32
First order of business! If you haven't verified your email on PyPI, head over to pypi.org/manage/account/ to complete the process!
1
22
31
🐍📦✨Python people!
We want *your* feedback on Python Packaging!
Please help us by responding to our survey @ bit.ly/3qmFQ69
Please RT for reach!
🐍📦✨
17
33
We've finally resolved the issues with our data pipeline that feeds our public dataset documented at packaging.python.org/en/late…
Note: If you are currently consuming from the `the-psf` dataset, you should migrate to the `bigquery-public-data` dataset and reprocess 2021-11-23 onward
1
6
30
We've also enabled a feature that will allow any project to opt-in to a 2FA requirement for its maintainers: this can be enabled in the settings for each individual project.
This can be enabled/disabled for non-critical projects at any time.
2
3
31
Today's a wonderful day to remind you that we are not two π in a trench coat, but a Pie Pea Eye.
Please sign this petition to bring our dreams of the pea emoji to life peas.org/pea-emoji/ so we can fully emojify our name.
1
3
31
6,076
In support of The PSF's mission, we are hiring for an engineering role that will focus on improving the safety and security of the Python Package index. This role will have shared ownership of key security & safety features with senior maintainers.
python.org/jobs/7221/
1
12
26
6,987
When credentials are entered on the phishing site sites[dot]google[dot]com/view/pypivalidate, the data is sent to a URL on the domain linkedopports[dot]com.
2
1
26
This excellent tip from @oscar_mcm is now reliably implemented. Classifiers beginning with “Private ::” are now disallowed from even existing in PyPI’s database.
18
24
Looking back at 2023 @mikefiedler discovered some impressive metrics that we want to share! @fastly #PyPI #pytho
2
10
29
20,617
Come help improve the Python packaging ecosystem!
This is a *paid* full-time role with @ThePSF that will include project management on PyPI!
With the support of our newest Visionary sponsor, @TechAtBloomberg, we are excited to be hiring a Project Manager for the Python packaging ecosystem.
Read more about position, it's goals, and how it came to fruition at pyfound.blogspot.com/2021/04…
18
27
Our security key giveaway has concluded, and as a result:
>400 unique projects chose to require 2FA
>1600 hardware keys were distributed
>3000 new users turned on 2FA
And as of today, more than 31,000 users on PyPI have 2FA enabled, up from 28K when we started. 🎉
3
23
You can now include mathematical expressions in your rST or Markdown project description on @pypi.
Example here: pypi.org/project/sourcespec/
Thanks to @pypi contributor @mikefiedler for implementing this!
8
26
We truly appreciate @RedHat for demonstrating their support of PyPI by becoming a Contributing sponsor. Their generosity ensures that we can improve and sustain PyPI for many generations to come.
3
23
Support for non-SNI clients will end the week of May 3rd.
As that date approaches, in order to ensure users are aware and have time to upgrade/fix/test non-SNI clients will experience rolling brownouts starting today.
See the timetable and details at github.com/pypa/pypi-support…
11
20
Support from organizations like @PrefectIO help keep PyPI running and allow us to continually keep improving it. Thank you!
2
25
Does your company rely on PyPI? This new sponsorship program from @ThePSF will build a more sustainable PyPI for the whole community and fund improvements to the entire packaging ecosystem.
pypi.org/sponsor/
Read the full announcement at pyfound.blogspot.com/2020/04…
25
23
We have additionally determined that the 'deep-translator' project was compromised and deep-translator==1.8.5 was a malicious release.
The malicious releases follow a similar pattern, again using linkedopports[dot]com. At this time, the malicious releases that we are aware of are:
- exotel==0.1.6
- spam==2.0.2 and ==4.0.2
We’ve additionally taken down several hundred typosquats that fit the same pattern.
1
10
24
We truly appreciate @linode for demonstrating their support of PyPI by becoming a Supporting sponsor. Their generosity ensures that we can improve and sustain PyPI for many generations to come!
1
25
Thanks to the @OpenTechFund, in addition to TOTP we now support Two-Factor Authentication via the WebAuthn standard! If you have a U2F compatible security key, you can use the feature in beta starting today!
Read more about this and what's to come at pyfound.blogspot.com/2019/06…
1
10
19
It's easy to miss important announcements in the whirlwind of social media! If you want to be sure to see important announcements regarding changes to PyPI, we recommend subscribing to our low-volume announcement list at mail.python.org/mm3/mailman3…
16
24
Thanks to @AWSOpen!
We are pleased to announce that @awscloud is the first Python Package Index (PyPI) Security Sponsor for @ThePSF. AWS is providing funding to the Python Software Foundation to hire a full-time Safety and Security Engineer for PyPI. go.aws/43WYMdV #PyConUS #PyConUS2023
ALT Python snake in armor holding a shield to defend its eggs.
1
20
3,642
Get paid to work on PyPI! One week left to submit your proposal!
We are hiring two contract developers to build organization accounts for @PyPI. This is a unique opportunity to flex your skills and develop next-gen features for PyPI. More details at pyfound.blogspot.com/2022/02…
1
16
22
Another oddball stat to kick your weekend off.
The PyPI service was deployed 342 times, our quietest year for deploys since 2018 relaunch, there have been 2714 deploys of the "new" codebase total.
2
3
23
We are grateful for @TechAtBloomberg's support of PyPI as a Visionary sponsor of @thePSF. Sponsorship funds not only help us maintain what we have but will also help us with future improvements! #thankyou
2
20
Thank you @realpython for supporting PyPI. Through sponsorships and grants, @thePSF raised over $300,000 for PyPI’s use. Let’s keep that momentum going! python.org/sponsors/applicat…
18
Thank you @Docker for supporting PyPI. Through sponsorships and grants, @thePSF raised over $300,000 for PyPI’s use. Let’s keep that momentum going! python.org/sponsors/applicat…
4
17
TestPyPI (test.pypi.org) now requires 2FA for all users to perform management actions.
This comes ahead of January 1, 2024 when the same requirement will be applied to all users of PyPI (pypi.org).
Read more at blog.pypi.org/posts/2023-12-…
4
4
15
2,789
We truly appreciate @RedHat for demonstrating their support of PyPI as a Contributing sponsor. Their generosity ensures that we can improve and sustain PyPI for many generations to come!
3
13
Thank you to @realpython for financially supporting PyPI through @thePSF’s sponsorship program. Every sponsorship has an impact on PyPI’s sustainability and maintenance. Considering being a sponsor? Email sponsors@python.org
1
14
Support from organizations like @elastic help keep PyPI running and allow us to keep improving it continually. Thank you!
3
14
Only one day left to get your keys: pypi.org/security-key-giveaw…
3
16
Huge thank you to @pythonanywhere for sponsoring PyPI! Does your company rely on PyPI? @thePSF’s sponsorship program aims to build a more sustainable PyPI for the whole community and fund improvements to the entire packaging ecosystem bit.ly/3DHWSQd
3
15
PEP 715, deprecating bdist_egg/.egg uploads to PyPI has been accepted. We'll begin the process of implementing this today.
blog.pypi.org/posts/2023-06-…
1
2
15
3,618
The answer is:
One hundred twenty-six billion five hundred forty-five million seven hundred seventy thousand and sixty-six downloads accounted for in 2021.
126,545,477,066
Thanks @googlecloud BigQuery for making it possible for us to track this scale. packaging.python.org/en/late…
1
13
Have you built something interesting using the PyPI Big Query public dataset?
Drop us a line at bigquery-feedback@pypi.org. We'd like to preview some upcoming changes and maybe feature your project in the announcement.
packaging.python.org/guides/…
8
15
We truly appreciate @techatbloomberg for demonstrating their support of PyPI by becoming a Visionary sponsor of @thePSF. Their generosity ensures that we can improve and sustain PyPI for many generations to come.
3
15
Thanks to @AWSOpen for providing the funding to support this role as our first Security Sponsor, including a continued investment in long-term credits and support for PyPI infrastructure! #PyConUS2023
2
12
5,189
If our tweet yesterday was a little sparse on detail... Dawn has you covered.
So @PyPI has upgraded to 3.11 and we all get to benefit from the performance bump! 🚀
I talked about it on my *first* #techtok from vacation 🏝 🐍 #snaketok
tiktok.com/t/ZTRV4V6EL/
7
13
6,320