PyPI.org Phishing attack

stoneleaf · July 26, 2025, 10:37pm

I just received this email (link deliberately broken):

As part of our ongoing account maintenance and security procedures, we’re asking users to verify their email addresses.

Please follow [this link](http s://pypj.org/account/login?user=ethan&token=xxx) to verify your email address.

This link will expire in 72 hours.

If you fail to confirm your email we may remove that email from your account to ensure your security.

Is pypj (that’s a J, not an I) one of ours?

MegaIng · July 26, 2025, 10:50pm

Definitely a fake website. If you check in the footer, some links like donate.pypj.org are broken because they aren’t quite spoofing everything and are instead trying to do a more simple pypi → pypj text replacement which doesn’t always work.

Probably worth reporting to google who are currently providing the certificate for this domain.

loic-simon · July 26, 2025, 10:54pm

That can be done here: https://safebrowsing.google.com/safebrowsing/report_phish/ (according to the FAQ)

stoneleaf · July 26, 2025, 11:31pm

Thanks, both! Site reported.

AA-Turner · July 27, 2025, 1:00am

The site is also using Cloudflare name servers, and is registered with NameSilo LLC, so the abuse reporting for both firms can be used: https://abuse.cloudflare.com / abuse@namesilo.com. I’ve also sent an email to the PSF trademarks committee for obvious trademark infringement.

See https://rdap.namesilo.com/domain/pypj.org & ICANN Lookup.

A

EWDurbin · July 27, 2025, 11:01am

I have reports on the behalf of the PSF in at this time, and I’m aware that the trademark working group is also working from their angle. Thanks everyone.

malemburg · July 27, 2025, 11:31am

Thanks for reporting this, @stoneleaf

I updated the title since this is a real attack. Perhaps we should send out a warning to users on one of the announcement and security channels.

christippett · July 27, 2025, 2:28pm

This discussion is the top Google result when searching for “pypj.org”… I also received the same email verification request and was suspicious of the domain. I have a real pypi.org account associated with the same email the (fake) verification request was sent to.

I’m a nobody, so if I got this email there’s likely a lot more who also received the same phishing email. One of my projects was marked once as critical, so that could be the criteria they’re using for who to target.

Happy to provide email headers and any other info if requested.