PyPI Warns Developers of New Phishing Attack via Fake PyPI Site

The Python Package Index (PyPI) is warning users about an ongoing phishing attack that attempts to steal login credentials through fake email verification requests, though the official repository itself has not been compromised.

Phishing Campaign Details

Over recent days, PyPI users who have published packages with their email addresses in package metadata have received suspicious emails titled “[PyPI] Email verification” from the address noreply@pypj.org.

The fraudulent domain uses a lowercase ‘j’ instead of ‘i’, mimicking the legitimate pypi.org domain to deceive recipients.

The phishing emails instruct users to click a link to verify their email addresses, directing them to a fake website that closely resembles the official PyPI interface.

When users attempt to log in on this counterfeit site, their credentials are captured by attackers while the login requests are simultaneously passed to the real PyPI, potentially making victims believe they have successfully accessed their legitimate accounts.

PyPI’s Response

PyPI administrators have implemented several protective measures while investigating the attack.

A prominent warning banner now appears on the PyPI homepage to alert users about the phishing attempt.

The organization has also submitted trademark and abuse notifications to content delivery network providers and domain name registrars to shut down the malicious infrastructure.

“PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site,” stated Mike Fiedler, PyPI Admin and Safety & Security Engineer for the Python Software Foundation.

Security Recommendations

Users who received the fraudulent emails should immediately delete them without clicking any links or providing personal information.

For those who may have already fallen victim to the scam, PyPI strongly recommends changing passwords immediately and reviewing account security history for any unusual activity.

The organization emphasizes the importance of always inspecting browser URLs before entering login credentials, particularly looking for subtle domain name variations that could indicate phishing attempts.

This incident follows other recent security challenges faced by PyPI, including a spam campaign involving the inbox.ru email domain that created over 250 fraudulent accounts and published more than 1,500 fake projects.

PyPI’s proactive security measures reflect the ongoing challenges of protecting the software supply chain that serves over 950,000 users and hosts nearly 662,000 Python packages.

The attack highlights the persistent threat of social engineering in the software development ecosystem, where attackers exploit user trust in established platforms to harvest credentials and potentially compromise software distribution channels.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates