PyPI credential-theft phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A new phishing campaign is impersonating PyPI with fake login pages to steal maintainer credentials, creating a risk of package takeover and malicious uploads. The operation uses pypi-mirror[.]org and previously pypj[.]org, showing recurring targeting rather than a one-off lure. PyPI maintainers are being told to reset passwords, review Security History, and use phishing-resistant 2FA.
Related Happenings
PyPI package spellcheckers delivers next-stage RAT
Malware Activity
First: 28.11.2025 18:27
Last: 28.11.2025 18:27
Sources 1
About this happening:
The malicious **PyPI** package **spellcheckers** was found delivering a **next-stage payload** and a **remote access trojan (RAT)**, creating a direct compromise path for anyone w...
PyPI package spellcheckers delivers next-stage RAT
Malware ActivityAbout this happening: The malicious **PyPI** package **spellcheckers** was found delivering a **next-stage payload** and a **remote access trojan (RAT)**, creating a direct compromise path for anyone w...
PyPI publishing tokens and secrets stolen in GhostAction campaign
Data Leak
First: 18.09.2025 16:09
Last: 18.09.2025 16:09
Sources 1
About this happening:
A **GhostAction** supply-chain compromise exposed **PyPI** publishing tokens and other secrets, creating immediate risk for maintainer credentials and API access. **PyPI** invalid...
PyPI publishing tokens and secrets stolen in GhostAction campaign
Data LeakAbout this happening: A **GhostAction** supply-chain compromise exposed **PyPI** publishing tokens and other secrets, creating immediate risk for maintainer credentials and API access. **PyPI** invalid...
SilentSync delivery via malicious PyPI packages sisaws and secmeasure
Malware Activity
First: 18.09.2025 14:38
Last: 18.09.2025 14:38
Sources 1
About this happening:
Two malicious **PyPI** packages now expand the supply-chain risk for Python developers by delivering the **SilentSync** RAT to **Windows** systems. The packages, **sisaws** and **...
SilentSync delivery via malicious PyPI packages sisaws and secmeasure
Malware ActivityAbout this happening: Two malicious **PyPI** packages now expand the supply-chain risk for Python developers by delivering the **SilentSync** RAT to **Windows** systems. The packages, **sisaws** and **...
PyPI adds expired-domain checks to block account takeover via domain resurrection
Security Tool/Service
First: 19.08.2025 09:36
Last: 19.08.2025 09:36
Sources 1
About this happening:
**PyPI** has added **expired-domain checks** for account email addresses, reducing **account takeover** risk from **domain resurrection** and **supply-chain attacks**. The control...
PyPI adds expired-domain checks to block account takeover via domain resurrection
Security Tool/ServiceAbout this happening: **PyPI** has added **expired-domain checks** for account email addresses, reducing **account takeover** risk from **domain resurrection** and **supply-chain attacks**. The control...
Timeline
-
24.09.2025 16:15 2 articles · 8mo ago
PyPI phishing campaign warning
Initial DisclosurePython Software Foundation warned that a phishing campaign is impersonating PyPI with fake login and password-reset pages to steal maintainer credentials. The emails urge targets to verify their email address for account maintenance and security procedures, then redirect to pypi-mirror[.]org; the same campaign also used pypj[.]org in July. Affected users are told to change their PyPI password immediately, review Security History, avoid email links, use password managers that match domains, and enable phishing-resistant 2FA such as hardware keys.
Show sources
- PyPI urges users to reset credentials after new phishing attacks — www.bleepingcomputer.com — 24.09.2025 16:15
- PyPI urges users to reset credentials after new phishing attacks — www.bleepingcomputer.com — 24.09.2025 16:15