The Python Package Index (PyPI) is once again the target of a phishing campaign aimed at maintainers, with attackers using domain confusion tactics and convincing emails to steal credentials.
According to Seth Larson, Security Developer-in-Residence at the PSF, “the string of phishing attacks using domain-confusion and legitimate-looking emails continues. This is the same attack PyPI saw a few months ago and targeting many other open source repositories but with a different domain name.”
The latest campaign lures PyPI maintainers with emails claiming they need to verify their account information. The emails warn that accounts may be suspended unless immediate action is taken.
As Larson explains, “The email asks you to ‘verify their email address’ for ‘account maintenance and security procedures’ with a note that your account may be suspended. This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF.”
This fraudulent domain was designed to mimic the official PyPI infrastructure but is under attacker control.
For those who may have fallen victim, the guidance is clear: “If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately. Inspect your account’s Security History for anything unexpected.”
Victims are also urged to report suspicious activity to [email protected] so that the PSF can continue to track and mitigate such attacks.
This campaign highlights how critical open-source infrastructure continues to be a high-value target for attackers. By imitating trusted domains and leveraging social engineering, adversaries seek to compromise the very maintainers responsible for securing the software supply chain.
As Larson notes, “We believe this type of campaign will continue with new domains in the future.”
Maintaining vigilance, adopting phishing-resistant authentication, and sharing alerts across the ecosystem are vital steps to protect both developers and users.
- PyPI Warns of Sophisticated Phishing Campaign Targeting Python Developers
- Popular ‘is’ JavaScript Library & Others Compromised in npm Supply Chain Attack
- PyPI’s New Rule: 2FA Verification for All Project Maintainers
- 11 Russian Linux Kernel Developers Lose Maintainer Status Due to “Compliance Requirements”
- PyPI Swiftly Patches Privilege Escalation Flaw in Organizations Feature
