I wonder if anyone is falling for this and if they are new devs or people leveraging agentic coding and don't actually know Python well?
zahlman•22h ago
It was first reported by a Python core developer. It seems like they are going after fairly high profile targets, such as maintainers of "critical" projects. To my understanding, the fake phishing site is about as good of a copy as they ever are. They appear to have basically copied the HTML and done a regex search-and-replace on the domain name.
It has nothing to do with "knowing Python well". It's a standard web-based phishing attack. If you publish packages on PyPI, then you will commonly also use the pypi.org web interface to manage a user and/or organization account. The attack isn't trying to exploit any kind of ignorance of what PyPI is or how Python works, or how the Python packaging ecosystem works. It's trying to exploit the visual confusion between "i" and "j".
mikece•1d ago
zahlman•22h ago
It has nothing to do with "knowing Python well". It's a standard web-based phishing attack. If you publish packages on PyPI, then you will commonly also use the pypi.org web interface to manage a user and/or organization account. The attack isn't trying to exploit any kind of ignorance of what PyPI is or how Python works, or how the Python packaging ecosystem works. It's trying to exploit the visual confusion between "i" and "j".
Related:
https://news.ycombinator.com/item?id=44711408
https://news.ycombinator.com/item?id=44701913