Overview

• Emails threaten account suspension and prompt users to “verify their email address,” directing them to the spoofed domain pypi-mirror.org that is not run by PyPI or the PSF.
• PSF instructs anyone who submitted credentials to change their PyPI password immediately, review their Security History, and report suspicious activity to [email protected].
• Stolen maintainer logins could let attackers modify trusted releases or publish new malicious packages that propagate to downstream users and CI systems.
• Security guidance highlights phishing-resistant 2FA with hardware keys, password managers that only auto-fill on verified domains, and enterprise privileged access management.
• The campaign follows a July lure using pypj.org, with PyPI maintainers pursuing registrar and CDN takedowns, submitting domains to browser blocklists, exploring stronger 2FA, and confirming GhostAction-stolen tokens were invalidated without being used to publish malware.