https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea
Cybersecurity researchers have uncovered a large-scale phishing campaign targeting Python developers through the Python Package Index (PyPI), the official repository for Python software. The attacks aim to steal developers’ login credentials, potentially compromising their projects and the software supply chain.
According to the report, the phishing emails lure developers with fake notices about issues with their PyPI packages, prompting them to click on malicious links that lead to spoofed PyPI login pages. Once developers enter their credentials, the cybercriminals gain access to their accounts, allowing them to upload malicious code to the affected projects, potentially infecting downstream users.
The researchers warn that the scale and sophistication of these attacks highlight the growing threat facing the open-source software ecosystem. As developers increasingly rely on third-party libraries and tools, the integrity of the supply chain becomes increasingly vulnerable to such supply chain attacks. Experts urge developers to be vigilant, verify the legitimacy of all communications, and implement robust security measures to protect their accounts and projects from such malicious activities.