Overview
- Attackers are sending deceptive emails titled "[PyPI] Email verification" from the typosquatted domain pypj.org to lure developers to a replica site.
- The phantom pypj.org site acts as a reverse proxy, routing login requests through the legitimate PyPI endpoint so victims remain unaware as their credentials are harvested.
- Although PyPI itself has not been breached, the campaign mirrors a recent npm typosquatting attack and could enable attackers to inject malware into existing packages or upload malicious ones.
- PyPI has added a warning banner to its homepage and filed trademark and abuse reports with domain registrars and CDN providers in an effort to take down the phishing site.
- Developers who clicked the phishing link are urged to change their PyPI passwords immediately and inspect their account’s Security History for any unexpected activity.