QUOTE: PyPI announced it is giving away free hardware security keys to the maintainers of critical projects
New phishing campaign requesting login + password + address to send physical token in 3, 2, 1 ...
The Python Package Index, better known among developers as PyPI, has issued a warning about a phishing attack targeting developers who use the service. The community-run organization said this is the first known phishing attack against PyPI users. And the attack has unfortunately been somewhat successful, resulting in the …
This is the first time I've seen such a targetted attack and the e-mail was reasonably convincing, not least because the security keys do have to be requested from Google and the communication about them wasn't brilliant. And here, again, there was no direct communication from the PSF about the attack. It's also yet another example of a phishing site being hosted by Google. Really, one might expect them to be on top of this abuse of their hosting.
As a result of the phishing campaign, PyPI announced it is giving away free hardware security keys to the maintainers of critical projects
That's not true. The phishing campaign is a reponse to the giveaway. I informed El Reg about the giveaway a couple of months ago but it was presumably deemed not newsworthy at the time. Why does the media have to wait for things to go wrong before reporting?