Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Home Technology Phishing Campaign Uses Fake PyPI Domain to Steal Login Credentials
Cloud Data Domain Internet phishing PyPI Technology

Phishing Campaign Uses Fake PyPI Domain to Steal Login Credentials

The campaign leverages fake emails made to copy authentic PyPI communications and send recipients to fake domains that mimic the PyPI infrastructure.
October 04, 2025


Phishing campaign via fake domains

A highly advanced phishing campaign targeted maintainers of packages on the Python Package Index (PyPI), utilizing domain confusion methods to obtain login credentials from unsuspecting developers. The campaign leverages fake emails made to copy authentic PyPI communications and send recipients to fake domains that mimic the genuine PyPI infrastructure.

Campaign tactic

The phishing operation uses meticulously drafted emails that ask users to confirm their email address for “account maintenance and security reasons,” cautioning that accounts will be suspended if not done. 

These fake emails scare users, pushing them to make hasty decisions without confirming the authenticity of the communication. The phony emails redirect the victims to the malicious domain pypi-mirror.org, which mimics the genuine PyPI mirror but is not linked to the Python Software Foundation.

Broader scheme 

This phishing campaign highlights a series of attacks that have hit PyPi and similar other open-source repositories recently. Hackers have started changing domain names to avoid getting caught. 

Experts at PyPI said that these campaigns are part of a larger domain-confusion attack to abuse the trust relationship inside the open-source ecosystem.

The campaign uses technical deception and social engineering. When users open the malicious links, their credentials are stolen by the hackers. 

Domain confusion

The core of this campaign depends upon domain spoofing. The fake domain uses HTTPS encoding and sophisticated web design to build its authority, which tricks users who might not pay close attention while accessing these sites. The malicious sites mimic PyPI’s login page with stark reality, such as professional logos, form elements, and styling, giving users an authentic experience. 

This level of detail in the craft highlights robust planning and resource use by threat actors to increase the campaign’s effectiveness.

How to stay safe?

Users are advised to not open malicious links and pay attention while using websites, especially when putting in login details. 

“If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately. Inspect your account's Security History for anything unexpected. Report suspicious activity, such as potential phishing campaigns against PyPI, to security@pypi.org,” PyPI said in the blog post.

Tags: Cloud Data Domain Internet phishing PyPI Technology
Share it:

Cloud

Data

Domain

Internet

phishing

PyPI

Technology