366/68 Friday, September 26, 2025
The Python Software Foundation (PSF) has issued a warning about a new phishing campaign targeting Python developers and project maintainers. Threat actors have created fake websites impersonating the Python Package Index (PyPI) – the official repository for Python packages – tricking users into verifying their account credentials under the guise of “account maintenance and security.” Victims are threatened with account suspension if they fail to comply. The PSF confirmed that these emails and websites are fraudulent and advised users who may have entered their information to immediately reset their passwords.
This attack poses a significant threat due to PyPI’s widespread use, hosting over 681,400 projects and serving millions of downloads globally. If a developer or maintainer account is compromised, attackers could modify existing code, insert malicious code (malware) into trusted packages, or publish entirely new malicious packages. Any downstream users who install these compromised packages risk having sensitive data stolen, including personal information, login credentials, passwords, and cryptocurrency wallet details, potentially causing widespread impact.
While this is not the first phishing attempt against PyPI, it represents an evolution of previous campaigns. A similar attack in July used lookalike domains such as pypj[.]org instead of pypi[.]org, and comparable incidents have also been reported against other package repositories like npm. Security experts warn that such attacks are likely to persist in the future. Developers and users are urged to remain vigilant, always verify the authenticity of websites and emails, and report any suspicious activity or phishing attempts to security@pypi[.]org to aid investigation and prevent further risks.
Source https://www.theregister.com/2025/09/24/pypi_phishing_attacks/
