The Python Software Foundation warned users this week that threat actors are trying to steal their credentials in phishing attacks using a fake Python Package Index (PyPI) website.

PyPI is a repository for Python packages, accessible at pypi.org, that offers a centralized platform for developers to distribute and install third-party software libraries. It hosts hundreds of thousands of packages and is the default source for Python's package management tools.

"PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site. Over the past few days, users who have published projects on PyPI with their email in package metadata may have received an email titled '[PyPI] Email verification' from the email address noreply@pypj.org," the PyPI admin Mike Fiedler cautioned.

...read more at bleepingcomputer.com