The Python Software Foundation warned users of a new string of phishing attacks using a phony Python Package Index (PyPI) website and asking victims to verify their account or face suspension, and advised anyone who did provide their credentials to change their password "immediately."

PyPI is extremely widely used, hosting over 681,400 projects and more than 15 million files, making it a target for a massive supply chain attack along the lines of the two npm attacks earlier this month.

The foundation's security developer-in-residence Seth Larson on Tuesday said the latest phish, sent via email, asks PyPI users to "verify their email address" for "account maintenance and security procedures." Failing to do so, it says, may result in a suspended account.

"This email is fake, and the link

See Full Page