Phishing Alert: PyPI Warns of Emails Posing as Verification Requests

The Python Package Index (PyPI) has warned about an active phishing campaign attempting to lure users to fake websites that closely mimic the official PyPI platform.

Attackers are distributing emails with the subject line “[PyPI] Email verification,” sent from the deceptive address noreply@pypj[.]org. The fake domain is designed to closely resemble the legitimate pypi[.]org, increasing the chances of tricking unsuspecting recipients.

Impersonation and Reverse Proxy Tactics

The phishing emails urge recipients to verify their email by clicking a link, which leads to a replica of the PyPI login page. Once credentials are entered, the fake site immediately forwards them to the real PyPI platform. This redirection allows users to log in successfully, masking the theft of their credentials.

“This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI,” said Mike Fiedler, PyPI Admin.

Recommendations for Users

PyPI is currently evaluating ways to respond to the phishing activity. In the meantime, users are strongly advised to double-check URLs before entering their credentials. Anyone who has received such an email should avoid clicking on the link and manually navigate to the official PyPI website.

Verifying domain names letter by letter, using password managers that auto-fill only on known sites, and installing browser extensions that highlight verified domains can offer additional protection.

“If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately,” Fiedler said. “Inspect your account’s Security History for anything unexpected.”

Similar Campaigns Targeting the Developer Ecosystem

The ongoing phishing attempt shares characteristics with a previous campaign targeting npm. In that campaign, attackers used the typosquatted domain npnjs[.]com to trick users into providing login credentials. That incident led to the compromise of multiple npm packages and the delivery of malware called Scavenger Stealer, which extracted browser data and system information through a WebSocket connection.

Increasing Sophistication of Supply Chain Threats

These attacks reflect a broader trend of cybercriminals exploiting trust in software repositories. Techniques like typosquatting, impersonation, and reverse proxy phishing are becoming more common across developer platforms like npm, GitHub, and PyPI.

Security experts urge developers to remain cautious and implement layered protections against phishing and supply chain compromise.