The maintainers of the Python Package Index (PyPI) have issued a warning about a phishing campaign targeting users. Attackers aim to redirect victims to fake websites disguised as PyPI with the intent to steal credentials.
It has been reported that attackers are sending emails with the subject line “[PyPI] Email verification,” which are sent from the address noreply@pypj[.]org. This means the domain mimics pypi.org, with the letter “j” replacing “i.”
“This is not a security breach of PyPI itself, but rather a phishing attempt and an abuse of the trust users place in PyPI,” writes Mike Fiedler, a PyPI administrator.
The emails contain a link, prompting users to click on it to verify their email address. The link leads to a phishing site disguised as PyPI, intended to harvest credentials.
It is noted that after entering the data on the fake site, the request is sent to the legitimate PyPI site. This allows the attackers to deceive victims and convince them that everything is fine, although in reality, their credentials end up in the hands of the attackers.
PyPI has stated that they are currently exploring possible methods to combat this attack. In the meantime, maintainers have urged users to carefully check the URL in the browser before logging in and refrain from clicking on links if they have received similar emails.
“If you have already clicked on the link and entered your credentials, we recommend immediately changing your PyPI password,” Fiedler writes. “Check the Security History for your account for any unusual activity.”
Currently, it is unclear who is behind this campaign, but it closely resembles phishing attacks that have recently been affecting npm users. Recall that in the case of npm, the attackers also use typosquatting and the domain npnjs[.]com (instead of the legitimate npmjs.com). The attackers similarly send emails to developers about supposedly required email address verification to steal credentials.
As a result of these attacks, a number of popular packages were compromised, some of which have up to 30 million downloads per week.
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →