Ethical Hacking News
PyPI users are being targeted by an ongoing phishing campaign that's designed to redirect them to fake sites and harvest their credentials. Learn more about this sophisticated attack and how you can protect yourself.
PyPI users are warned about a phishing campaign targeting them with fake email verification messages. The scam aims to harvest user credentials, not breach PyPI itself. The attack uses a replica phishing site that impersonates PyPI to trick victims into divulging sensitive information. Users should inspect the URL before signing in and refrain from clicking on suspicious links. If clicked, users must change their password and inspect their account's Security History for anything unexpected.
PyPI users, beware! The maintainers of the Python Package Index (PyPI) have issued a warning about an ongoing phishing campaign that's targeting users in an attempt to redirect them to fake PyPI sites. This cleverly crafted scam has been designed to exploit the trust that users have in PyPI, and it's essential to understand how it works and what you can do to protect yourself.
According to Mike Fiedler, a PyPI Admin, this is not a security breach of PyPI itself but rather a phishing attempt that aims to harvest user credentials. The email messages sent to victims are bearing the subject line "[PyPI] Email verification" and are coming from an email address noreply@pypj[.]org (note that the domain is not "pypi[.]org"). This may seem like a legitimate email, but it's actually a phishing attempt designed to trick users into divulging their sensitive information.
The attack works by instructing users to follow a link to verify their email address, which leads to a replica phishing site that impersonates PyPI. The intention behind this is to harvest the user's credentials, such as their username and password. However, in a clever twist, once the login information is entered on the bogus site, the request is routed to the legitimate PyPI site, effectively fooling the victims into thinking that nothing is amiss when, in reality, their credentials have been passed on to the attackers.
This method of phishing is harder to detect because there are no error messages or failed logins to trigger suspicion. The attackers have cleverly designed the email and website to mimic the real PyPI site, making it challenging for users to distinguish between legitimate and fake emails.
PyPI has issued a warning urging users to inspect the URL in the browser before signing in and refrain from clicking on the link if they have already received such emails. If you're unsure whether an email is legitimate, a quick check of the domain name—letter by letter—can help. Tools like browser extensions that highlight verified URLs or password managers that auto-fill only on known domains can add a second layer of defense.
If you've already clicked on the link and provided your credentials, it's essential to change your password on PyPI immediately. You should also inspect your account's Security History for anything unexpected. It's worth noting that this attack is not just targeting individuals but also gaining access to accounts that may publish or manage widely used packages.
The activity bears striking similarities to a recent npm phishing attack that employed a typosquatted domain "npnjs[.]com" (as opposed to "npmjs[.]com") to send similar email verification emails and capture users' credentials. In this case, the attack compromised seven different npm packages, delivering a malware called Scavenger Stealer to gather sensitive data from web browsers.
This campaign is part of a growing category of social engineering attacks that exploits how developers interact with tools they rely on daily. Typosquatting, impersonation, and reverse proxy phishing are just a few tactics being used by attackers in this space. It's essential for developers and users to be aware of these tactics and take necessary precautions to protect themselves.
In conclusion, the ongoing phishing campaign targeting PyPI users is a reminder that social engineering attacks can be sophisticated and difficult to detect. By understanding how these attacks work and taking steps to protect yourself, you can minimize the risk of falling victim to such scams.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Widespread-Phishing-Campaign-Targeting-PyPI-Users-A-Cautionary-Tale-of-Social-Engineering-ehn.shtml
https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.html
Published: Tue Jul 29 14:49:29 2025 by llama3.2 3B Q4_K_M