The Python Software Foundation (PSF) is warning developers about a fresh phishing campaign that targets users of the Python Package Index (PyPI) with convincing but fake emails and a fake login site.
The emails ask recipients to verify their account details for “maintenance and security procedures.” Those who don’t follow the instructions are threatened with account suspensions, and the link they are urged to click leads to a spoofed site hosted at pypi-mirror.org.
Seth Larson, a developer at the PSF, explained that anyone who entered their credentials on the phishing site should change their PyPI password right away and review their account’s Security History for any unusual activity. He also encouraged users to report suspicious emails or phishing attempts directly to [email protected].
The danger behind these attacks is not limited to individual accounts. Once threat actors obtain login details, they can tamper with trusted packages already published to PyPI or push out new ones with malware. This could expose developers and companies that rely on those packages, impacting anyone who relies on those packages
This campaign is not the first of its kind. A similar attempt in July used the domain pypj.org to trick developers into handing over their login details. The latest attack follows the same structure, suggesting that more phishing domains could appear in the future.
PyPI maintainers have already taken action by contacting registrars and content delivery networks to remove malicious domains, submitting them to browser blocklists, and coordinating with other open source platforms to improve response times. They are also exploring ways to strengthen two-factor authentication so that phishing attempts are less effective.
Advice from an Expert
Shane Barney, Chief Information Security Officer at Keeper Security, said phishing is not disappearing; it is adapting. Attackers will continue spinning up new domains to trick users, but the real focus for security leaders should be on limiting the damage when someone inevitably clicks.
According to Barney, this starts with stronger authentication methods, such as hardware-based keys like YubiKeys, which resist phishing attempts. Combined with password managers that only auto-fill credentials on verified domains, the two approaches shut down the most common paths attackers rely on.
For enterprises, he added, privileged access management plays a critical role by enforcing least privilege, restricting lateral movement, and monitoring activity. Even if malicious code makes it through, it cannot spread unchecked. “The aim isn’t to eliminate all risk, but to build enough guardrails so one stolen password doesn’t escalate into a full-blown breach,” Barney said.
Nevertheless, do not click on links in emails unless you initiated the action yourself, rely on verified legitimate domains, and consider using hardware keys for phishing-resistant two-factor authentication. Sharing suspicious emails with peers or community channels is also encouraged, since being cautious helps protect not just one developer but the Python community overall.
