The Python Package Index (PyPI), the official third-party software repository for the Python programming language, has issued a security advisory warning users of an ongoing phishing attack. The campaign targets project maintainers and users with deceptive emails designed to steal their account credentials. PyPI administrators have emphasized that this is not a breach of the PyPI platform itself, but rather a targeted social engineering attack exploiting the community’s trust in the repository.
The attack originates from emails sent from the address noreply@pypj.org, a domain name carefully chosen to mimic the legitimate PyPI domain, pypi.org. As noted in the advisory by PyPI Admin, Safety & Security Engineer Mike Fiedler, the key distinction is the use of a lowercase ‘j’ instead of an ‘i’. The emails carry the subject line “[PyPI] Email verification” and prompt users to click a link to validate their email address, leading them to a convincing but malicious replica of the PyPI login page.
This fraudulent website is specifically crafted to capture the username and password of any user who attempts to log in.
Once the credentials are stolen, attackers could potentially gain control of the user’s account, allowing them to publish malicious packages, alter existing legitimate ones, or access sensitive account information. To combat this, PyPI has placed a prominent warning banner on its homepage and is actively working to take down the malicious infrastructure.
PyPI urges all users to be extremely cautious and to verify the sender’s email address and destination URL before clicking on any links.
Users who have received the phishing email are advised to delete it immediately without interacting with its contents. For those who may have inadvertently clicked the link and entered their credentials, it is critical to change their PyPI password without delay.
Furthermore, impacted users should thoroughly review their account’s “Security History” page for any unauthorized or suspicious activity. PyPI administrators are coordinating with CDN providers and domain name registrars to have the phishing site shut down. This incident serves as a critical reminder for all developers to remain vigilant against phishing attempts that seek to compromise software supply chains.
Reference:
