Python 软件包索引（Python Package Index, PyPI）发出警告，指出针对 Python 开发者的网络钓鱼攻击将持续存在，攻击者利用虚假域名和紧急邮件策略诱骗用户。受害者被诱导通过拼写错误的域名（如 pypi-mirror.org）验证账户。PyPI 敦促用户和维护者采用防网络钓鱼的双因素认证（2FA）和具备域名识别功能的密码管理器，以应对日益严峻的安全威胁。

If you recently got an email asking you to verify your credentials to a PyPI site, better change that password ...

PyPI, the default platform for Python's package management tools, is warning users of a fresh phishing campaign.

Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by ...

Malicious PyPI package soopsocks downloaded 2,653 times before takedown, exfiltrating Windows data to Discord.

Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers' projects. One of them, using ...

A security firm found three malicious Python libraries uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on ...

A new malicious campaign has been found on the Python Package Index (PyPI) open-source repository involving 24 malicious packages that closely imitate three popular open-source tools: vConnector, ...

The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. The two libraries ...