PyPI in 2025: Year in Review — Security, Organizations, and Growth

TL;DR

PyPI reports substantial growth in 2025 alongside a major push on security and organizational features. The registry rolled out stronger 2FA, expanded trusted publishing and attestations, sped malware remediation, and added organization-management capabilities.

What happened

The Python Package Index posted a year-end summary showing heavy usage and a slate of platform improvements in 2025. Usage metrics include about 3.9 million new files, roughly 130,000 new projects, 1.92 exabytes of data transferred, 2.56 trillion requests served and an average of 81,000 requests per second. The team prioritized security: enhancing two-factor authentication with email verification for TOTP logins, broadening trusted publishing to include GitLab Self‑Managed and custom OIDC issuers, and enabling attestations from trusted providers. Proactive defenses added phishing domain warnings, tightened ZIP upload handling, automated typosquatting detection, domain-expiration checks and spam mitigations. The incident response program published reports on several notable events. Malware handling improved—over 2,000 reports processed with most remediated within 24 hours—and support teams cleared account-recovery and project-retention backlogs. Organizations saw steady uptake and new admin features; project archival and updated terms of service were also introduced.

Why it matters

• Stronger account and supply-chain protections reduce risk for thousands of downstream dependents.
• Trusted publishing and attestations help automate secure releases without long-lived tokens for many maintainers.
• Faster malware handling and clearer incident reports improve ecosystem resilience and transparency.
• Organization tools and lifecycle features make PyPI more suitable for company and large-project workflows.

Key facts

• About 3.9 million new files published on PyPI in 2025.
• Roughly 130,000 new projects were created during the year.
• PyPI served approximately 2.56 trillion requests and transferred 1.92 exabytes of data.
• Average traffic load was around 81,000 requests per second.
• Enhanced 2FA changes led to over 52% of active users enabling non-phishable 2FA and more than 45,000 verified logins.
• Trusted publishing is in use by more than 50,000 projects and accounted for over 20% of file uploads.
• Attestations accompanied roughly 17% of uploads in the last year.
• Over 2,000 malware reports processed; 66% handled within 4 hours and 92% within 24 hours.
• Support resolved 2,221 account-recovery requests and processed over 500 PEP 541 (project name retention) cases with an average first triage time under one week.
• 7,742 organizations created on PyPI; 9,059 projects are managed by organizations.

What to watch next

• Further adoption and integration of trusted publishing and attestations across more projects and CI providers.
• Ongoing security work in 2026 focused on stability, usability, and additional defenses against supply-chain attacks.
• How organization features, such as team management and project transfers, affect enterprise and community project workflows.

Quick glossary

• PyPI: The Python Package Index, the primary public repository for Python packages and distribution files.
• Two-Factor Authentication (2FA): A security process requiring two separate forms of identification before granting account access.
• TOTP: Time-based One-Time Password: a temporary code generated by an authenticator app used for 2FA.
• Trusted Publishing: A mechanism that lets CI/CD systems or hosting providers publish packages on behalf of maintainers without long-lived tokens.
• Attestation: A verifiable claim about a software artifact (for example, build provenance) intended to improve supply-chain trust.

Reader FAQ

How large was PyPI's traffic in 2025?
PyPI reported about 2.56 trillion requests, 1.92 exabytes transferred, and an average of 81,000 requests per second.

What 2FA changes did PyPI make?
PyPI added email verification for TOTP-based logins to improve phishing resistance and reported increased non-phishable 2FA adoption.

Did PyPI speed up malware response?
Yes — more than 2,000 malware reports were processed, with 66% resolved within 4 hours and 92% within 24 hours.

Are there details on pricing or billing for organizations?
not confirmed in the source

new features organizations security PyPI in 2025: A Year in Review As 2025 comes to a close, it's time to look back at another busy year for the Python Package…

Sources

• PyPI in 2025: A Year in Review
• Incident Report: Organizations Team privileges
• The PyPI Supply Chain Attacks of 2025: What Every Python …
• Safety & Security Engineer: First Year in Review

Related posts

• PyPI in 2025: Year in Review — Growth, Security and Organizations
• SigNoz (YC W21) hires for 13 full-time roles across engineering, growth, product
• Why Control, Not Privacy, Shapes My Personal Tech Setup — Practical Tools I Use