The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack that's targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply@pypj[.]org (note that the domain is not "pypi[.]org "). "This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI," Mike Fiedler, PyPI Admin, said in a post Monday. The email messages instruct users to follow a link to verify their email address, which leads to a replica phishing site that impersonates PyPI and is designed to harvest their credentials. But in a clever twist, once the login information is entered on the bogus site, the request is routed to the legitimate PyPI site, effectively fooling the victims into thinking that nothing is amiss when, in reality, their credentials have been passed on to the attackers. This method is harder to detect because there are no error messages or failed logins to trigger suspicion. PyPI said it's looking at different methods to handle the attack. In the meanwhile, it's urging users to inspect the URL in the browser before signing in and refrain from clicking on the link if they have already received such emails. If you're unsure whether an email is legitimate, a quick check of the domain name—letter by letter—can help. Tools like browser…Read More