Overview

• The latest emails pressure recipients to verify their address or face suspension and redirect them to a fake login hosted at pypi-mirror.org.
• Anyone who submitted credentials is told to change their PyPI password immediately, review their account’s Security History, and report incidents to [email protected].
• PyPI maintainers are coordinating takedowns with registrars and CDNs, submitting domains to browser blocklists, and cautioning that new lookalike sites are likely.
• This wave echoes a July lure that used pypj.org, and experts recommend phishing-resistant 2FA and password managers that auto-fill only on verified domains.
• Given PyPI’s scale, a single compromised maintainer account could seed malicious releases downstream, a risk underscored by recent npm supply-chain incidents.