I just received this email (link deliberately broken):
As part of our ongoing account maintenance and security procedures, we’re asking users to verify their email addresses.
Please follow [this link](http s://pypj.org/account/login?user=ethan&token=xxx) to verify your email address.
This link will expire in 72 hours.
If you fail to confirm your email we may remove that email from your account to ensure your security.
Is pypj (that’s a J, not an I) one of ours?
Definitely a fake website. If you check in the footer, some links like donate.pypj.org are broken because they aren’t quite spoofing everything and are instead trying to do a more simple pypi → pypj text replacement which doesn’t always work.
Probably worth reporting to google who are currently providing the certificate for this domain.
That can be done here: https://safebrowsing.google.com/safebrowsing/report_phish/ (according to the FAQ)
Thanks, both! Site reported.
The site is also using Cloudflare name servers, and is registered with NameSilo LLC, so the abuse reporting for both firms can be used: https://abuse.cloudflare.com / abuse@namesilo.com. I’ve also sent an email to the PSF trademarks committee for obvious trademark infringement.
See https://rdap.namesilo.com/domain/pypj.org & ICANN Lookup.
A
I have reports on the behalf of the PSF in at this time, and I’m aware that the trademark working group is also working from their angle. Thanks everyone.
Thanks for reporting this, @stoneleaf
I updated the title since this is a real attack. Perhaps we should send out a warning to users on one of the announcement and security channels.
This discussion is the top Google result when searching for “pypj.org”… I also received the same email verification request and was suspicious of the domain. I have a real pypi.org account associated with the same email the (fake) verification request was sent to.
I’m a nobody, so if I got this email there’s likely a lot more who also received the same phishing email. One of my projects was marked once as critical, so that could be the criteria they’re using for who to target.
Happy to provide email headers and any other info if requested.
I got one too and just wanted to document that the email isn’t assigned to an actual PyPI account but is included in the core packaging meta and so it’s exposed publicly.
It’s a team@ address with forwarding to actual humans. And the scam “verification” URL just extracted the part before @ to inject into the GET param.
Hi gang,
Thanks for your diligence!
Some notices have gone up on social media, mailing lists, and PyPI blog:
Other efforts are underway to evaluate the impact and look at other prevention techniques.
We have implemented a client side protection that should block the trivial proxy attacks like these, and are working with our CDN provider, Fastly, to determine if any of their security products would further protect us from these attacks.
The domain registrar has also placed this domain on a hold.
The incident is over, and here’s a deeper dive.
