Blog: PyPI in 2025: A Year in Review

Source: Hacker News

Tags

• new features
• organizations
• security

As 2025 comes to a close, it’s time to look back at another busy year for the Python Package Index. This year we focused on:

• Delivering critical security enhancements
• Rolling out powerful new features for organizations
• Improving the overall user experience for the millions of developers who rely on PyPI every day
• Responding to a number of security incidents with transparency

By the Numbers

• 3.9 million new files published
• 130,000 new projects created
• 1.92 exabytes of total data transferred
• 2.56 trillion total requests served
• 81,000 requests per second on average

These figures illustrate the continued growth and vibrancy of the Python community.

Security First, Security Always

Security is our top priority, and in 2025 we’ve shipped a number of features that make PyPI more secure than ever.

Enhanced Two‑Factor Authentication (2FA) for Phishing Resistance

We’ve improved our 2FA implementation, starting with email verification for TOTP‑based logins. This adds an extra layer of protection by requiring you to confirm a login from a trusted device when using a phishable 2FA method such as TOTP.

Since rolling out these changes we’ve seen:

• 52 % of active users have non‑phishable 2FA enabled
• 45 000+ unique verified logins

Trusted Publishing and Attestations

Trusted publishing remains a cornerstone of our security strategy. This year we expanded support to include GitLab Self‑Managed instances, letting maintainers automate releases without long‑lived API tokens. We also added custom OIDC issuers for organizations, giving companies more control over their publishing pipelines.

Adoption of trusted publishing has been fantastic:

• 50 000+ projects now use trusted publishing
• 20 %+ of all file uploads to PyPI in the last year were performed via trusted publishers

We’ve also been hard at work on attestations, a feature that lets publishers make verifiable claims about their software. Attestations are now supported by all Trusted Publishing providers, and the community is already using them to strengthen the software‑supply‑chain.

• 17 % of all uploads to PyPI in the last year included an attestation

Proactive Security Measures

Beyond user‑facing features, we’ve implemented a number of proactive measures to protect the registry from attack:

• Phishing protection: PyPI now detects and warns users about untrusted domains – see the blog post.
• Improved ZIP file security: The upload pipeline has been hardened to prevent attacks involving malicious ZIP files – read more here.
• Typosquatting detection: PyPI automatically detects and flags potential typosquatting attempts during project creation.
• Domain resurrection prevention: Expired domains are periodically checked to prevent domain‑resurrection attacks – details in the announcement.
• Spam prevention: We’ve taken action against spam campaigns, including prohibiting registrations from specific abusive domains – see the post.

Transparency and Incident Response

This year we have focused on providing transparent, timely information about security incidents affecting PyPI. We have published detailed incident reports on several events, including:

• Privileges persisting in organization teams – Read the report
• Widespread phishing attack targeting PyPI users – Read the report
• Token exfiltration campaign via GitHub Actions workflows – Read the report
• Potential implications of the “Shai‑Hulud” attack on the npm ecosystem – Read the report

We believe transparency is key to building and maintaining trust with our community, and we will continue to provide these reports as needed.

Safety and Support Requests

This year, our safety & support team and administrators have been working diligently to address user requests and combat malware, keeping the ecosystem healthy. We’re proud to report significant progress in handling support inquiries and improving our malware response.

Malware Response

• Processed more than 2,000 malware reports – a testament to the vigilance of our community and the dedication of our administrators.
• Goal: reduce the time it takes to remove malware from PyPI. Recent performance:
  • 66 % of reports handled within 4 hours.
  • 92 % handled within 24 hours.
  • Only a few complex cases required the maximum 4 days to remediate.

Support Requests

• Resolved 2,221 individual account‑recovery requests.
• Handled over 500 project‑name‑retention requests (PEP 541).
  • Average first‑triage time: < 1 week.
  • This is a significant improvement over the previous 9‑month backlog, which is now current as of December.

Organizations Growth

One of our biggest announcements in previous years was the general availability of organizations on PyPI. Organizations give companies and community projects a centralized place to manage their packages, teams, and billing.

Recent Adoption

• 7,742 organizations have been created on PyPI
• 9,059 projects are now managed by organizations

New Features

We’ve been hard at work adding capabilities to organizations, including:

• Team management
• Project transfers
• A comprehensive admin interface

We’re excited to see organizations leverage these features to use PyPI more effectively.

A Better PyPI for Everyone

We’ve made a number of improvements to the overall maintainer experience on PyPI, including:

• Project lifecycle management – You can now archive your projects to signal that they are no longer actively maintained. This is part of a larger effort to standardize project‑status markers as proposed in PEP 792.
• New Terms of Service – A new Terms of Service formalizes our policies and enables new features such as organizations.

Looking Ahead to 2026

We’re proud of the progress we made in 2025, but we know there’s always more to do. In 2026, we’ll continue to focus on improving the security, stability, and usability of PyPI for the entire Python community.

Acknowledgements

A huge thanks to our sponsors who make the scale and reliability of PyPI possible, and a special shout‑out to Fastly for being a critical infrastructure donor.

Individual contributors

We’d like to extend a special thank‑you to the following individuals for their significant contributions this year:

• William Woodruff
• Facundo Tuesca
• Seth Michael Larson

Your work on trusted publishing, attestations, project archival, zip‑file mitigation, and other security features has been invaluable.

The community

PyPI wouldn’t be what it is today without the countless hours contributed by our community. Thank you to everyone who:

• Submitted code
• Opened issues
• Provided feedback
• Improved documentation

Your efforts keep PyPI thriving.

Here’s to a great 2026!

— Dustin Ingram, on behalf of the PyPI team