Pierluigi Paganini
July 30, 2025
PyPI warns of an active phishing attack using fake “[PyPI] Email verification” messages from noreply@pypj[.]org, aiming to lure users to spoofed PyPI sites.
PyPI, short for the Python Package Index, is the official repository for Python software packages. It’s where Python developers publish and share open-source Python libraries and tools, and where users can install those packages using the pip command (Python’s package installer).
The maintainers pointed out that PyPI has not been hacked.
“Over the past few days, users who have published projects on PyPI with their email in package metadata may have received an email titled:
[PyPI] Email verification
from the email address [email protected].” reads the advisory published by PyPI Admin, Safety & Security Engineer (PSF) Mike Fiedler.
Note the lowercase j in the domain name, which is not the official PyPI domain, pypi.org.”
“This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI.” continues Fiedler.
A phishing email mimicking PyPI prompts users to verify their email via a fake site. The rogue sites are designed to steal credentials by redirecting logins. PyPI warns users with a homepage banner and urges checking URLs.
“We are also waiting for CDN providers and name registrars to respond to the trademark and abuse notifications we have sent them regarding the phishing site.” continues the alert.
Impacted users who received the phishing email should avoid clicking any links or sharing information and delete the message immediately.
Those who may have clicked the link and entered their credentials are advised to change their PyPI password right away and review their account’s Security History for any suspicious activity.
“If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately. Inspect your account’s Security History for anything unexpected.” concludes the alert.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, phishing)
