Redazione RHC : 30 July 2025 19:11
Those responsible for the Python Package Index (PyPI) have issued a warning about a phishing campaign targeting users. The attackers aim to redirect victims to fake sites disguised as PyPI and steal their credentials. The attackers allegedly sent emails with the subject “[PyPI] Verify Email” from noreply@pypj[.]org. In other words, the domain mimics pypi.org, and the letter “j” replaces the “i.”
“This is not a security breach of PyPI itself, but rather a phishing attempt and abuse of the trust users place in PyPI,” writes Mike Fiedler, PyPI administrator. The emails contain a link and invite users to click it to verify their email address. The link leads to a phishing site masquerading as PyPI and designed to harvest credentials.
Note that after entering your details on the fake site, the request is sent to the legitimate PyPI site. This allows victims to be fooled into thinking everything is in order, even though in reality their credentials fall into the hands of the attackers.
PyPI said it is already evaluating possible methods to counter the attack. Meanwhile, the perpetrators have urged users to carefully check URLs in their browsers before logging in and to refrain from clicking on links if they have received similar emails in the past.
“If you have already followed the link and entered your credentials, we recommend that you change your PyPI password immediately,” Fidler writes. “Check your account’s security history for any anomalies.”
It’s currently unclear who is behind this campaign, but it is very similar to attacks by phishing attacks that have hit npm users in recent weeks. Recall that, in the case of npm, the attackers also use typosquatting with the domain npnjs[.]com (instead of the real npmjs.com). Attackers also send emails to developers about the alleged need to verify their email address to steal their credentials.
These attacks have compromised numerous popular packages, some of which are downloaded 30 million times a week.
Redazione