Overview
- Attackers are sending emails from [email protected] with the subject "[PyPI] Email verification" that direct users to a replica site designed to harvest credentials.
- Once users enter credentials on the fake site, the login is transparently proxied to the legitimate PyPI to avoid triggering security alerts.
- PyPI maintainers have added homepage banners warning of the phishing scheme and are urging users to inspect URLs, change compromised passwords and review their Security History.
- Maintainers have sent trademark and abuse notices to registrars and content delivery networks but the lookalike domains remain active.
- The phishing campaign mirrors a recent npm attack using a typosquatted domain and underscores growing supply-chain threats in open-source ecosystems.