The Python Package Index (PyPI), a central repository of third-party Python packages, is now seeing what appears to be a fairly wide-scale phishing attack. The attackers are squatting on "pypj.org" — a plausible typo, but more likely chosen to visually resemble "pypi.org" in a browser address bar.
This was first reported by Python core developer Ethan Furman (@stoneleaf), who was personally targeted, on the Python Discourse forum[1]; the thread title was made more authoritative after it was confirmed that the attack was not a one-off. There is some speculation in the thread that the attack may be targeting developers who have, or ever have had, a package identified as "critical". (Previously, PyPI rolled out a 2FA requirement for owners/maintainers of the most commonly downloaded "critical" packages, along with a security key giveaway[2]; in 2023 they announced[3] that 2FA would be required for all accounts starting at the beginning of 2024, and made good on that[4]. Amusingly, this status designation once took another core developer by surprise[5].)
PyPI staff are well aware of the attack (hence the linked blog post) and have also added a warning banner to the main https://pypi.org site.
The Python Package Index (PyPI), a central repository of third-party Python packages, is now seeing what appears to be a fairly wide-scale phishing attack. The attackers are squatting on "pypj.org" — a plausible typo, but more likely chosen to visually resemble "pypi.org" in a browser address bar.
This was first reported by Python core developer Ethan Furman (@stoneleaf), who was personally targeted, on the Python Discourse forum[1]; the thread title was made more authoritative after it was confirmed that the attack was not a one-off. There is some speculation in the thread that the attack may be targeting developers who have, or ever have had, a package identified as "critical". (Previously, PyPI rolled out a 2FA requirement for owners/maintainers of the most commonly downloaded "critical" packages, along with a security key giveaway[2]; in 2023 they announced[3] that 2FA would be required for all accounts starting at the beginning of 2024, and made good on that[4]. Amusingly, this status designation once took another core developer by surprise[5].)
PyPI staff are well aware of the attack (hence the linked blog post) and have also added a warning banner to the main https://pypi.org site.
[1]: https://discuss.python.org/t/pypi-org-phishing-attack/100267
[2]: https://pypi.org/security-key-giveaway/
[3]: https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f...
[4]: https://blog.pypi.org/posts/2024-01-01-2fa-enforced/
[5]: https://discuss.python.org/t/a-defunct-project-of-mine-has-b...
• Threat: Emails from noreply@pypj.org (with a 'j') link to a fake login page.
• Action: Do not click any links. If you already did, change your PyPI password ASAP.
• Note: PyPI itself has not been breached.