Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Enterprise BusinessLog 320x200 1
TM RedHotCyber 970x120 042543
After NPM, now it’s PyPI’s turn: Python users, beware of this new phishing campaign.

After NPM, now it’s PyPI’s turn: Python users, beware of this new phishing campaign.

30 July 2025 19:11

Those responsible for the Python Package Index (PyPI) have issued a warning about a phishing campaign targeting users. The attackers aim to redirect victims to fake sites disguised as PyPI and steal their credentials. The attackers allegedly sent emails with the subject “[PyPI] Verify Email from noreply@pypj[.]org. In other words, the domain mimics pypi.org, and the letter “j” replaces the “i.”

“This is not a security breach of PyPI itself, but rather a phishing attempt and abuse of the trust users place in PyPI,” writes Mike Fiedler, PyPI administrator. The emails contain a link and invite users to click it to verify their email address. The link leads to a phishing site masquerading as PyPI and designed to harvest credentials.

Note that after entering your details on the fake site, the request is sent to the legitimate PyPI site. This allows victims to be fooled into thinking everything is in order, even though in reality their credentials fall into the hands of the attackers.

PyPI said it is already evaluating possible methods to counter the attack. Meanwhile, the perpetrators have urged users to carefully check URLs in their browsers before logging in and to refrain from clicking on links if they have received similar emails in the past.

“If you have already followed the link and entered your credentials, we recommend that you change your PyPI password immediately,” Fidler writes. “Check your account’s security history for any anomalies.”

It’s currently unclear who is behind this campaign, but it is very similar to attacks by phishing attacks that have hit npm users in recent weeks. Recall that, in the case of npm, the attackers also use typosquatting with the domain npnjs[.]com (instead of the real npmjs.com). Attackers also send emails to developers about the alleged need to verify their email address to steal their credentials.

These attacks have compromised numerous popular packages, some of which are downloaded 30 million times a week.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.