The WordPress Security Team is aware of multiple ongoing phishing scams impersonating both the “WordPress team” and the “WordPress Security Team“ in an attempt to convince administrators to install a plugin on their website which contains malware.
The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password.