Python developers targeted with new password-stealing phishing attacks - here's how to stay safe

• PyPI warns phishing attacks will persist using fake domains and urgent email tactics
• Victims are tricked into verifying accounts via typosquatted sites like pypi-mirror.org
• Users and maintainers urged to adopt phishing-resistant 2FA and domain-aware password managers

Phishing attacks against PyPI users and maintainers are going to continue, the foundation is warning, as it urged members to tighten up on security and remain vigilant.

A new blog post, published by the foundation's security developer-in-residence, Seth Larson,noted the most recent attacks are a continuation of a months-long campaign that uses convincing emails and typosquatted domains to steal people’s login credentials.

“Unfortunately the string of phishing attacks using domain-confusion and legitimate-looking emails continues," Larson wrote. "This is the same attack PyPI saw a few months ago and targeting many other open source repositories but with a different domain name. Judging from this, we believe ...