PyPI warns of first-ever phishing campaign against its users

Increase security by passing personal data to google

Oxymoron.

Interesting attack

This is the first time I've seen such a targetted attack and the e-mail was reasonably convincing, not least because the security keys do have to be requested from Google and the communication about them wasn't brilliant. And here, again, there was no direct communication from the PSF about the attack. It's also yet another example of a phishing site being hosted by Google. Really, one might expect them to be on top of this abuse of their hosting.

As a result of the phishing campaign, PyPI announced it is giving away free hardware security keys to the maintainers of critical projects

That's not true. The phishing campaign is a reponse to the giveaway. I informed El Reg about the giveaway a couple of months ago but it was presumably deemed not newsworthy at the time. Why does the media have to wait for things to go wrong before reporting?

It feels to me either that these thing needs to either

1. Verify everything before it gets added. Thoroughly.

or

2. Make it very clear that it is the wild west.

This trying to be the best of both worlds doesn't seem to be all that good of an idea for these things.