The PyPI maintainers say a new phishing campaign is targeting Python project maintainers and aiming to steal credentials and compromise projects.