PyPI Warns of New Phishing Attack Targeting Developers With Fake PyPI site

The Python Package Index (PyPI) has issued an urgent warning to developers about an ongoing phishing campaign that exploits domain spoofing techniques to steal user credentials. 

This sophisticated attack targets developers who have published packages on the official repository, leveraging their trust in the PyPI ecosystem to harvest login credentials through a carefully crafted fake website that mimics the legitimate platform.

Key Takeaways
1. Fake emails from pypj.org redirect to a counterfeit PyPI site, stealing credentials.
2. Official PyPI uncompromised, but developers with public emails are being targeted.
3.  Verify pypi.org domain, delete suspicious emails, and change password if compromised.

Overview of PyPI Phishing Campaign

The phishing campaign operates through a multi-stage attack vector that begins with fraudulent emails sent from the domain [email protected], which uses typosquatting by replacing the ‘i’ in the legitimate pypi.org domain with a lowercase ‘j’. 

The malicious emails carry the subject line “[PyPI] Email verification” and from noreply@pypj[.]org specifically target users who have published projects on PyPI with their email addresses included in package metadata.

When recipients click the verification link, they are redirected to a sophisticated phishing site that closely replicates the official PyPI interface. 

The fake site employs a pass-through authentication mechanism, where user credentials are captured and simultaneously forwarded to the legitimate PyPI servers. 

This technique creates the illusion that users have successfully logged into the real PyPI platform while attackers are harvesting their credentials. 

The attack demonstrates advanced social engineering principles by exploiting the established trust relationship between developers and the PyPI ecosystem.

PyPI administrators have confirmed that their infrastructure remains secure and that this represents an external phishing attempt rather than a direct security breach of their systems. 

The organization has implemented immediate countermeasures, including displaying a prominent warning banner on the PyPI homepage to alert users about the ongoing attack. 

Additionally, PyPI has initiated formal trademark and abuse notifications to content delivery network (CDN) providers and domain name registrars to facilitate the takedown of the malicious infrastructure.

Security experts recommend that developers immediately inspect URLs in their browser address bar before entering credentials and delete any suspicious emails without clicking embedded links. 

Users who may have already fallen victim to the attack should immediately change their PyPI passwords and review their account’s Security History for any unauthorized activities. 

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now