Cyberattack Targets Python Developers Through Fake PyPI Website
Python developers are being warned of a new phishing campaign that uses a counterfeit Python Package Index (PyPI) site to steal login credentials. The Python Software Foundation (PSF) issued an alert earlier this week, cautioning that the attackers are exploiting trust in the official PyPI domain to lure users into credential theft.
PyPI is the central repository for Python packages and is widely used by developers to publish and install third-party libraries. The phishing campaign does not involve a breach of PyPI itself, but rather a scheme aimed at compromising the accounts of developers through deceptive emails.
Attackers Impersonate PyPI With Lookalike Domain and Email
The phishing emails appear to be legitimate and are sent under the subject line “[PyPI] Email verification” from the spoofed address noreply@pypj.org. The messages direct recipients to a website that closely mimics the appearance of the real PyPI login page.
“PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site,” said PyPI administrator Mike Fiedler.
Once on the fake site, users are prompted to log in. The form is designed to send credentials back to the attackers while creating the illusion that users have signed into the actual platform.
Objective: Credential Theft for Future Package Compromise
The stolen credentials could be used to:
- Modify existing packages on PyPI with malicious code
- Upload new, malicious packages posing as legitimate libraries
- Launch supply chain attacks affecting developers and downstream applications
To mitigate the threat, PyPI has added a warning banner on its homepage and is working to shut down the fake site. Abuse complaints and trademark violation notices have also been submitted to relevant CDN providers and domain registrars.
“We are also waiting for CDN providers and name registrars to respond to the trademark and abuse notifications we have sent,” Fiedler added.
Recommended Actions for Python Developers
Developers who receive the phishing email are strongly advised to:
- Avoid clicking any links in suspicious messages
- Delete the email immediately
- Change their PyPI password if they interacted with the fake site
- Review account security history for unusual activity
Context: Ongoing Security Challenges at PyPI
This is not the first time PyPI has faced threats to its ecosystem:
- In February 2024, the Project Archival feature was introduced to allow project maintainers to label packages as inactive.
- In March 2024, PyPI temporarily suspended new user registrations after detecting a widespread malware campaign involving hundreds of fake packages.
While this current phishing incident does not stem from a direct compromise of PyPI infrastructure, it poses serious risks to the Python supply chain if developer accounts are taken over.
