PyPI Warns Users of Fresh Phishing Campaign

The Python Package Index (PyPI), the default platform for Python’s package management tools, is warning users of a fresh phishing campaign relying on domain confusion to harvest credentials.

The attack, a continuation of a campaign conducted in July, involves fraudulent messages asking users to verify their email address for security purposes, and claiming that accounts may be suspended due to lack of action.

“This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF [Python Software Foundation],” PSF security developer-in-residence Seth Larson warns.

Setting up phishing-resistant multi-factor authentication (MFA), Larson explains, helps PyPI maintainers mitigate the risks associated with phishing attacks.

Those who clicked on the links in these emails and shared their credentials on the fake website, however, are advised to immediately rotate their credentials, check their account’s security history for anomalies, and report suspicious activity ...