The maintainers of the Python Package Index (PyPI) have issued a warning about a phishing campaign targeting users. Attackers aim to redirect victims to fake websites disguised as PyPI with the intent to steal credentials.
It has been reported that attackers are sending emails with the subject line “[PyPI] Email verification,” which are sent from the address noreply@pypj[.]org. This means the domain mimics pypi.org, with the letter “j” replacing “i.”
“This is not a security breach of PyPI itself, but rather a phishing attempt and an abuse of the trust users place in PyPI,” writes Mike Fiedler, a PyPI administrator.
The emails contain a link, prompting users to click on it to verify their email address. The link leads to a phishing site disguised as PyPI, intended to harvest credentials.
It is noted that after entering the data on the fake site, the request is sent to the legitimate PyPI site. This allows the attackers to deceive victims and convince them that everything is fine, although in reality, their credentials end up in the hands of the attackers.
PyPI has stated that they are currently exploring possible methods to combat this attack. In the meantime, maintainers have urged users to carefully check the URL in the browser before logging in and refrain from clicking on links if they have received similar emails.
“If you have already clicked on the link and entered your credentials, we recommend immediately changing your PyPI password,” Fiedler writes. “Check the Security History for your account for any unusual activity.”
Currently, it is unclear who is behind this campaign, but it closely resembles phishing attacks that have recently been affecting npm users. Recall that in the case of npm, the attackers also use typosquatting and the domain npnjs[.]com (instead of the legitimate npmjs.com). The attackers similarly send emails to developers about supposedly required email address verification to steal credentials.
As a result of these attacks, a number of popular packages were compromised, some of which have up to 30 million downloads per week.
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →