The Python Package Index (PyPI) has issued a security advisory warning developers about an active phishing campaign aimed at stealing credentials through cleverly crafted fake emails and spoofed domains.

The phishing emails, disguised as legitimate PyPI communication, are titled “[PyPI] Email verification” and originate from the deceptive address noreply@pypj[.]org—a domain that closely mimics the official pypi[.]org but is, in fact, fraudulent.

A Sophisticated Social Engineering Tactic

According to Mike Fiedler, PyPI administrator, this is not a breach of the PyPI infrastructure, but a phishing attempt designed to exploit developers’ trust in the platform. The email urges users to click on a verification link that leads to a convincing replica of the PyPI login page.

What makes this attack particularly dangerous is the use of a reverse proxy phishing technique. After victims enter their login credentials on the fake site, their information is silently forwarded to the legitimate PyPI site, creating the illusion of a normal login experience—no errors, no red flags.

Guidance for Developers

PyPI is actively exploring mitigation strategies but strongly encourages users to inspect URLs carefully before logging in. Developers should avoid clicking on suspicious links and verify email authenticity by manually checking the domain name—character by character.

To enhance protection, developers can rely on:

• Browser extensions that highlight verified websites
• Password managers that only auto-fill on trusted domains
• Reviewing account activity through PyPI’s Security History page

If credentials have already been submitted through a phishing link, users are urged to reset their PyPI password immediately.

A Pattern Across Developer Ecosystems

While the attackers behind this campaign remain unidentified, the tactics are strikingly similar to recent phishing attacks targeting npm, where a fake domain “npnjs[.]com” was used to compromise several packages. That incident led to the deployment of Scavenger Stealer malware, capable of collecting browser data, system information, and environment variables via WebSocket exfiltration.

These attacks reflect a growing trend in developer-focused phishing campaigns, leveraging:

• Typosquatting
• Impersonation domains
• Reverse proxy phishing techniques

As development workflows become more automated and reliant on trusted tools, maintaining zero trust principles, enforcing domain verification, and educating teams on social engineering threats are more critical than ever.

Source: https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.html