PyPI introduces a project archival system to combat malicious updates

📟 News

Date: 03/02/2025

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it’s not expected to be updated any time soon.

Archived projects remain available on PyPI, but users will see a warning that should help them to make decisions about which packages they depend on.

The new feature boosts the supply-chain security in the PyPI ecosystem since hacking developer accounts and distributing malicious updates to abandoned (but still popular!) projects are a common hackers’ trick.

In addition, the introduced system is expected to increase transparency and reduce support requests from users by clearly notifying them of the project’s status. Projects marked as “archived” should prompt developers to look for alternative dependencies actively supported by their authors, rather than rely on outdated and potentially unsafe projects.

According to Trail of Bits, the team behind the project archival system, maintainers can now mark their projects as “archived”, thus, notifying users that no updates, fixes, or support can be expected.

Importantly, the project owners can unarchive a project any time if needed.

The new system utilizes the LifecycleStatus model originally designed to quarantine projects. It includes a mechanism making it possible to change the project status. In the future, Trail of Bits intends to add more statuses, including deprecated, feature-complete, and unmaintained.

Related posts:
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →