The Python Software Foundation has issued a warning about a phishing campaign targeting PyPI users through fake websites like pypi-mirror[.]org and pypj[.]org to steal credentials. Users are advised to use strong security practices, report suspicious activity, and enable phishing-resistant 2FA to protect their accounts. #PyPI #PhishingCampaign
Keypoints
- The Python Software Foundation warns of a new wave of phishing attacks targeting PyPI users.
- Attacks involve fake sites mimicking the official PyPI website to steal login credentials.
- Threat actors aim to use stolen credentials for malicious package publishing or further hacking.
- Users are recommended to avoid clicking suspicious links, use strong 2FA, and report phishing attempts.
- PyPI has taken measures like invalidating tokens and suspending user registration to combat these threats.