| Ah, I was beaten to it... The Python Package Index (PyPI), a central repository of third-party Python packages, is now seeing what appears to be a fairly wide-scale phishing attack. The attackers are squatting on "pypj.org" — a plausible typo, but more likely chosen to visually resemble "pypi.org" in a browser address bar. This was first reported by Python core developer Ethan Furman (@stoneleaf), who was personally targeted, on the Python Discourse forum[1]; the thread title was made more authoritative after it was confirmed that the attack was not a one-off. There is some speculation in the thread that the attack may be targeting developers who have, or ever have had, a package identified as "critical". (Previously, PyPI rolled out a 2FA requirement for owners/maintainers of the most commonly downloaded "critical" packages, along with a security key giveaway[2]; in 2023 they announced[3] that 2FA would be required for all accounts starting at the beginning of 2024, and made good on that[4]. Amusingly, this status designation once took another core developer by surprise[5].) PyPI staff are well aware of the attack (hence the linked blog post) and have also added a warning banner to the main https://pypi.org site. [1]: https://discuss.python.org/t/pypi-org-phishing-attack/100267 [2]: https://pypi.org/security-key-giveaway/ [3]: https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f... [4]: https://blog.pypi.org/posts/2024-01-01-2fa-enforced/ [5]: https://discuss.python.org/t/a-defunct-project-of-mine-has-b... |