inbox.ru Domain Prohibition Follow-up
A follow-up to the previous post.
We have since learned that the campaign was orchestrated
by the company that owns the inbox.ru email domain,
and not by a malicious third party as we initially suspected.
2025
Prohibiting inbox.ru email domain registrations
A recent spam campaign against PyPI has prompted an administrative action,
preventing using the inbox.ru email domain.
This includes new registrations as well as adding as additional addresses.
The campaign created over 250 new user accounts, publishing over 1,500 new projects on PyPI, leading to end-user confusion, abuse of resources, and potential security issues.
All relevant projects have been removed from PyPI, and accounts have been disabled.
Incident Report: Organizations Team privileges
On April 14, 2025 security@pypi.org was notified of a potential security concern relating to privileges granted to a PyPI User via Organization Teams membership persisting after the User was removed from the PyPI Organization the Team belongs to.
We validated the report as a true finding, identified all cases where this scenario had occurred, notified impacted parties, and released a fix. A full audit determined that all instances were accounted for, with no unauthorized actions taken as a result of the issue.
Introducing our new Terms of Service
We're introducing a new Terms of Service to formalize our relationship to users and enable us to move forward with providing new features and services, specifically Organization Accounts.
PyPI Now Supports Project Archival
Support for marking projects as archived has landed on PyPI. Maintainers can now archive a project to let users know that the project is not expected to receive any more updates.
This allows users to make better decisions about which packages they depend on, especially regarding supply-chain security, since archived projects clearly signal that no future security fixes or maintenance should be expected.