PyPI Warns Developers About Phishing Attacks

The maintainers of the Python Package Index (PyPI) have issued a warning about a phishing campaign targeting users. Attackers aim to redirect victims to fake websites disguised as PyPI with the intent to steal credentials.

It has been reported that attackers are sending emails with the subject line “[PyPI] Email verification,” which are sent from the address noreply@pypj[.]org. This means the domain mimics pypi.org, with the letter “j” replacing “i.”

“This is not a security breach of PyPI itself, but rather a phishing attempt and an abuse of the trust users place in PyPI,” writes Mike Fiedler, a PyPI administrator.

The emails contain a link, prompting users to click on it to verify their email address. The link leads to a phishing site disguised as PyPI, intended to harvest credentials.

It is noted that after entering the data on the fake site, the request is sent to the legitimate PyPI site. This allows the attackers to deceive victims and convince them that everything is fine, although in reality, their credentials end up in the hands of the attackers.

PyPI has stated that they are currently exploring possible methods to combat this attack. In the meantime, maintainers have urged users to carefully check the URL in the browser before logging in and refrain from clicking on links if they have received similar emails.

“If you have already clicked on the link and entered your credentials, we recommend immediately changing your PyPI password,” Fiedler writes. “Check the Security History for your account for any unusual activity.”

Currently, it is unclear who is behind this campaign, but it closely resembles phishing attacks that have recently been affecting npm users. Recall that in the case of npm, the attackers also use typosquatting and the domain npnjs[.]com (instead of the legitimate npmjs.com). The attackers similarly send emails to developers about supposedly required email address verification to steal credentials.

As a result of these attacks, a number of popular packages were compromised, some of which have up to 30 million downloads per week.

12.04.2025 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

23.01.2025 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

08.02.2025 — Hackers exploit RCE vulnerability in Microsoft Outlook

25.02.2025 — More than 100,000 users downloaded SpyLend malware from Google Play Store

08.04.2025 — Website of Everest ransomware group hacked and defaced

06.02.2025 — Let's Encrypt to stop sending expiration notification emails

03.02.2025 — PyPI introduces a project archival system to combat malicious updates

24.03.2025 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

25.01.2025 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

09.02.2025 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

15.12.2022 — What Challenges To Overcome with the Help of Automated e2e Testing?

03.06.2022 — Playful Xamarin. Researching and hacking a C# mobile app

12.01.2022 — First contact. Attacks against contactless cards

20.07.2023 — Evil modem. Establishing a foothold in the attacked system with a USB modem

01.06.2022 — WinAFL in practice. Using fuzzer to identify security holes in software

01.06.2022 — First contact. Attacks on chip-based cards

09.02.2022 — First contact: An introduction to credit card security

16.02.2022 — Timeline of everything. Collecting system events with Plaso

12.02.2023 — Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic

03.06.2022 — Vulnerable Java. Hacking Java bytecode encryption

12.04.2025 —
Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

23.01.2025 —
Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

08.02.2025 —
Hackers exploit RCE vulnerability in Microsoft Outlook

25.02.2025 —
More than 100,000 users downloaded SpyLend malware from Google Play Store

08.04.2025 —
Website of Everest ransomware group hacked and defaced

06.02.2025 —
Let's Encrypt to stop sending expiration notification emails

03.02.2025 —
PyPI introduces a project archival system to combat malicious updates

24.03.2025 —
Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

25.01.2025 —
18,000 script kiddies have been infected with backdoor via XWorm RAT builder

09.02.2025 —
Abandoned AWS S3 buckets could be used in attacks targeting supply chains

15.12.2022 —
What Challenges To Overcome with the Help of Automated e2e Testing?

03.06.2022 —
Playful Xamarin. Researching and hacking a C# mobile app

12.01.2022 —
First contact. Attacks against contactless cards

20.07.2023 —
Evil modem. Establishing a foothold in the attacked system with a USB modem

01.06.2022 —
WinAFL in practice. Using fuzzer to identify security holes in software

01.06.2022 —
First contact. Attacks on chip-based cards

09.02.2022 —
First contact: An introduction to credit card security

16.02.2022 —
Timeline of everything. Collecting system events with Plaso

12.02.2023 —
Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic

03.06.2022 —
Vulnerable Java. Hacking Java bytecode encryption