The Python Software Foundation (PSF) has alerted the community to a fresh wave of phishing emails impersonating Python Package Index (PyPI) notifications. The messages pressure recipients to “verify” their email or face account suspension. Embedded links route users to attacker-controlled domains, where credentials—and in some cases one-time two-factor codes—are harvested.
Phishing technique: domain spoofing and fake PyPI sign-in pages
According to PSF security engineer Seth Larson, the campaign directs victims to pypi-mirror[.]org, a domain that does not belong to PyPI or the PSF. The site mimics the PyPI login flow to capture usernames, passwords, and potentially time-based one-time passwords (TOTPs). Because TOTPs are phishable, attackers can replay them immediately to take over accounts.
Why this matters: software supply chain risk for open-source ecosystems
Compromised maintainer accounts enable adversaries to push malicious releases of popular packages or publish new packages with hidden payloads. Such events propagate downstream through trusted dependency chains, affecting developer environments and production systems. Supply chain attacks via compromised package registries are high-leverage: one compromised maintainer can inadvertently expose thousands of organizations.
Lessons from npm: maintainer account compromise at scale
Similar tactics have hit the npm ecosystem. The compromise of maintainer Josh Junon (Qix)—who oversees 18 packages with a cumulative >2.5 billion weekly downloads—led to dozens of malicious releases and is widely regarded as one of the largest supply-chain incidents in npm history. The episode underscores how maintainer account takeovers can create outsized systemic risk.
Threat landscape: phishing and credential theft remain top initial access vectors
Industry reporting consistently identifies phishing and stolen credentials among the leading causes of breaches. The 2024 Verizon Data Breach Investigations Report notes that the human element continues to feature prominently in incidents, with phishing a common entry point. Once credentials are obtained, adversaries pivot laterally, escalate privileges, and tamper with build and release pipelines—directly relevant to PyPI and other registries.
PSF guidance: harden PyPI accounts and publishing workflows
Adopt phishing-resistant MFA (FIDO2/WebAuthn). Hardware security keys or platform authenticators provide strong protection against credential replay and code theft. This approach aligns with guidance from NIST and CISA for high-risk accounts and CI/CD roles.
Do not click links in unsolicited emails. Instead, navigate directly to pypi.org in your browser or use a trusted bookmark. Password managers can help detect fake domains by autofilling only on legitimate sites.
Use PyPI “Trusted Publishers” and least privilege. Prefer OpenID Connect (OIDC)-based publishing from CI providers rather than long-lived tokens. Segment roles, enforce minimal permissions, and rotate credentials to limit blast radius if any single identity is compromised.
If you interacted with the phishing site or entered credentials
Immediately reset your PyPI password and any reused passwords, invalidate active sessions, and revoke publication tokens and API keys. Review your account’s security logs for anomalies, enable phishing-resistant MFA, and scan recent releases for unauthorized changes. Notify PyPI administrators and, if you maintain widely used packages, proactively inform users about potential exposure and remediation steps.
How to recognize PyPI-themed phishing emails
Be cautious of urgent “verify your email to avoid suspension” messages, mismatched sender addresses, and links that resemble—but are not—pypi.org. Check domains carefully for typosquatting and subdomain tricks. Legitimate PyPI notices will not ask you to enter credentials on third-party domains.
With repeated attempts to subvert open-source supply chains, sustained security hygiene is essential. Maintain phishing-resistant MFA, verify domains before logging in, favor OIDC-based Trusted Publishers, and apply least privilege. Share indicators of compromise with peers and promptly escalate suspicious activity to the PSF and relevant platform security teams.
