Particle.news

Download on the App Store

PyPI Battles Live Phishing Campaign Exploiting Typosquatted Domain

Seeking to disable the phantom pypj.org site, the Python Software Foundation issued abuse reports, posted homepage alerts, urged developers to secure their accounts.

Image
Image
Image

Overview

  • Attackers are sending deceptive emails titled "[PyPI] Email verification" from the typosquatted domain pypj.org to lure developers to a replica site.
  • The phantom pypj.org site acts as a reverse proxy, routing login requests through the legitimate PyPI endpoint so victims remain unaware as their credentials are harvested.
  • Although PyPI itself has not been breached, the campaign mirrors a recent npm typosquatting attack and could enable attackers to inject malware into existing packages or upload malicious ones.
  • PyPI has added a warning banner to its homepage and filed trademark and abuse reports with domain registrars and CDN providers in an effort to take down the phishing site.
  • Developers who clicked the phishing link are urged to change their PyPI passwords immediately and inspect their account’s Security History for any unexpected activity.