Overview

• Attackers are sending emails from [email protected] with the subject "[PyPI] Email verification" that direct users to a replica site designed to harvest credentials.
• Once users enter credentials on the fake site, the login is transparently proxied to the legitimate PyPI to avoid triggering security alerts.
• PyPI maintainers have added homepage banners warning of the phishing scheme and are urging users to inspect URLs, change compromised passwords and review their Security History.
• Maintainers have sent trademark and abuse notices to registrars and content delivery networks but the lookalike domains remain active.
• The phishing campaign mirrors a recent npm attack using a typosquatted domain and underscores growing supply-chain threats in open-source ecosystems.