PyPI in 2025: Year in Review — Growth, Security and Organizations

TL;DR

PyPI reported strong growth in 2025 alongside a series of security-focused upgrades and new features for organizations. The registry rolled out enhanced 2FA, expanded trusted publishing and attestations, tightened proactive defenses, and improved malware and support response times.

What happened

Over 2025 the Python Package Index recorded substantial activity and introduced several platform-level changes. Usage metrics included roughly 3.9 million new files, about 130,000 new projects, 1.92 exabytes transferred, 2.56 trillion requests served and an average of 81,000 requests per second. Security work emphasized phishing-resistant login flows (including email verification for TOTP logins), broader trusted publishing (now covering GitLab Self-Managed and custom OIDC issuers) and attestation support. Adoption figures show more than 50,000 projects using trusted publishing, over 20% of file uploads coming via trusted publishers, and attestations present on 17% of uploads. PyPI also deployed proactive mitigations—phishing domain warnings, ZIP upload hardening, typosquatting detection, periodic checks to prevent domain resurrection, and domain-level spam restrictions. The safety team processed 2,000+ malware reports with 66% handled within four hours and 92% within 24 hours, and resolved 2,221 account recoveries. Organizations usage grew, and maintainers gained project archival and updated Terms of Service.

Why it matters

• Improved 2FA and phishing defenses reduce the risk of account takeover and supply-chain compromise for package maintainers.
• Trusted publishing and attestations aim to make automated releases and provenance claims more secure and verifiable.
• Faster malware triage and better spam controls shorten the window malicious packages can affect users.
• Organization features and project lifecycle tools help teams manage packages, ownership and maintenance status more centrally.

Key facts

• 3.9 million new files published on PyPI in 2025.
• Approximately 130,000 new projects created during the year.
• 1.92 exabytes of data transferred and 2.56 trillion total requests served.
• Average traffic of about 81,000 requests per second.
• Enhanced 2FA: over 52% of active users have non-phishable 2FA enabled and more than 45,000 unique verified logins recorded.
• Trusted publishing adoption: more than 50,000 projects using it and over 20% of file uploads in the last year done via trusted publishers.
• Attestations were included with 17% of uploads in the last year.
• Safety team processed over 2,000 malware reports; 66% remediated within 4 hours and 92% within 24 hours.
• 7,742 organizations created on PyPI and 9,059 projects managed by organizations.
• Support resolved 2,221 account recovery requests and handled 500+ PEP 541 project name retention requests with average first triage under one week.

What to watch next

• PyPI's stated priorities for 2026: continuing work on security, stability and usability (confirmed in the source).
• Further adoption and evolution of trusted publishing and attestations — not confirmed in the source.
• Expansion of organization features or billing changes — not confirmed in the source.

Quick glossary

• Two-Factor Authentication (2FA): An account security method that requires two different forms of identification before granting access, commonly a password plus a second factor like a code from an authenticator app or a hardware token.
• TOTP: Time-Based One-Time Password: a common 2FA method generating short-lived numeric codes from a shared secret and the current time.
• Trusted Publishing: A publishing workflow that uses short-lived credentials or identity federation (such as OIDC) to allow automated, auditable package uploads without long-lived API tokens.
• Attestation: A verifiable claim about a software artifact—often cryptographically signed—used to provide provenance or metadata about how a release was produced.
• Typosquatting: A type of attack where malicious actors register package names similar to popular projects to trick users into installing harmful or counterfeit packages.

Reader FAQ

Did PyPI change two-factor authentication in 2025?
Yes. PyPI added email verification for TOTP-based logins to increase resistance to phishing and reported higher uptake of non-phishable 2FA among active users.

Has trusted publishing been expanded to other platforms?
Yes. Support was added for GitLab Self-Managed instances and for custom OIDC issuers for organizations.

How quickly does PyPI handle malware reports?
The safety team processed over 2,000 reports; 66% were handled within four hours and 92% within 24 hours.

Are there continued plans for PyPI in 2026?
PyPI says it will continue focusing on improving security, stability and usability in 2026 (confirmed in the source).

new features organizations security PyPI in 2025: A Year in Review As 2025 comes to a close, it's time to look back at another busy year for the Python Package…

Sources

• Blog: PyPI in 2025: A Year in Review
• Incident Report: Organizations Team privileges
• The PyPI Supply Chain Attacks of 2025: What Every Python …
• The Python Package Index Blog

Related posts

• SigNoz (YC W21) hires for 13 full-time roles across engineering, growth, product
• Why Control, Not Privacy, Shapes My Personal Tech Setup — Practical Tools I Use
• 2026: Can Java Finally Own the Terminal — CLIs, TUIs, Distribution