The PyPI repository has sounded the alarm about an ongoing phishing campaign aimed at stealing developer credentials.