PyPI Warns Developers About Ongoing Phishing Attacks

The maintainers of the Python Package Index (PyPI) have issued a warning about a widespread phishing campaign targeting Python developers. Attackers are impersonating PyPI in an effort to steal login credentials by redirecting users to malicious lookalike websites.

How the Attack Works

Developers are receiving phishing emails with the subject line:

"[PyPI] Email verification"

These messages originate from a spoofed email address: noreply@pypj[.]org—a subtle but deceptive variation of the official PyPI domain (pypi.org).

The email prompts recipients to “verify their email address” by clicking a link. The link leads to a fake PyPI login page, visually identical to the real one, designed solely to capture user credentials.

“This is not a breach of PyPI itself,” wrote Mike Fiedler, a PyPI administrator. “It’s a phishing attempt exploiting users’ trust in PyPI.”

Deceptive Redirection Tactic

What makes the attack especially deceptive is its redirect mechanism.

Once victims enter their credentials on the fake site, the page immediately forwards the request to the real PyPI login page, giving the illusion that the login was successful—while in reality, the attackers have already stolen the credentials.

PyPI’s Recommendations

In response, PyPI has issued the following guidance:

• Double-check URLs before logging in—look closely for typos or suspicious domains
• Avoid clicking links in unexpected or unsolicited emails
• If you suspect you’ve entered credentials on a phishing site:
  • Change your PyPI password immediately
  • Review your Security History for unusual activity or logins

Resemblance to Recent npm Phishing Campaigns

The PyPI campaign closely mirrors a similar wave of npm phishing attacks earlier this year, where:

• Attackers used typosquatting domains like npnjs[.]com instead of npmjs.com
• Developers received fake “email verification” prompts
• Stolen credentials were used to hijack accounts and publish malicious versions of popular packages—some with 30 million+ weekly downloads

Investigation and Next Steps

The identity of the attackers remains unknown. PyPI maintainers are actively exploring countermeasures, including improved email protections, domain monitoring, and enhanced user alerts.

Key Takeaways for Developers

• Verify sender email addresses carefully—look out for typos like pypj.org or npnjs.com
• Never enter credentials via email links—manually navigate to trusted domains
• Enable 2FA on all package manager accounts to add an extra layer of protection

Phishing attacks on open-source infrastructure are rising—and package maintainers are high-value targets. Staying vigilant is no longer optional—it’s essential.