PyPI Warns Developers About Phishing Attacks

📟 News

Date: 31/07/2025

The maintainers of the Python Package Index (PyPI) have issued a warning about a phishing campaign targeting users. Attackers aim to redirect victims to fake websites disguised as PyPI with the intent to steal credentials.

It has been reported that attackers are sending emails with the subject line “[PyPI] Email verification,” which are sent from the address noreply@pypj[.]org. This means the domain mimics pypi.org, with the letter “j” replacing “i.”

“This is not a security breach of PyPI itself, but rather a phishing attempt and an abuse of the trust users place in PyPI,” writes Mike Fiedler, a PyPI administrator.

The emails contain a link, prompting users to click on it to verify their email address. The link leads to a phishing site disguised as PyPI, intended to harvest credentials.

It is noted that after entering the data on the fake site, the request is sent to the legitimate PyPI site. This allows the attackers to deceive victims and convince them that everything is fine, although in reality, their credentials end up in the hands of the attackers.

PyPI has stated that they are currently exploring possible methods to combat this attack. In the meantime, maintainers have urged users to carefully check the URL in the browser before logging in and refrain from clicking on links if they have received similar emails.

“If you have already clicked on the link and entered your credentials, we recommend immediately changing your PyPI password,” Fiedler writes. “Check the Security History for your account for any unusual activity.”

Currently, it is unclear who is behind this campaign, but it closely resembles phishing attacks that have recently been affecting npm users. Recall that in the case of npm, the attackers also use typosquatting and the domain npnjs[.]com (instead of the legitimate npmjs.com). The attackers similarly send emails to developers about supposedly required email address verification to steal credentials.

As a result of these attacks, a number of popular packages were compromised, some of which have up to 30 million downloads per week.

Related posts:
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →