The Python Software Foundation (PSF) has issued a warning to developers about a sophisticated phishing campaign aimed at users of the Python Package Index (PyPI). The attackers are sending out convincing but fraudulent emails that trick recipients into believing their accounts require verification for “maintenance and security procedures.” The emails threaten account suspension if the user doesn’t comply, pushing them to click a malicious link. This link redirects them to a highly deceptive, spoofed website located at pypi-mirror.org, which is designed to harvest their login details.
According to Seth Larson, a developer at the PSF, any developer who might have entered their credentials on this phishing site should take immediate action. He advises them to promptly change their PyPI password and carefully review their account’s security history for any signs of unusual activity. To combat these threats, Larson also encourages users to be proactive and report any suspicious emails or phishing attempts they encounter directly to the PyPI security team at security@pypi.org.
The potential damage from these attacks extends far beyond a single compromised account. If threat actors manage to obtain a developer’s login details, they can gain control over packages already published on PyPI. They could then inject malicious code into these trusted packages or upload entirely new packages containing malware. This kind of supply chain attack poses a significant risk, as it can expose countless other developers and organizations that rely on those affected packages.
This current campaign isn’t an isolated incident. A very similar attack occurred just a few months ago in July, where attackers used a different but equally deceptive domain, pypj.org, to trick developers into revealing their credentials. The repetition of this attack structure suggests that more phishing domains are likely to emerge in the future, highlighting an ongoing threat that requires continued vigilance from the Python community.
In response to this persistent threat, PyPI maintainers are taking aggressive measures. They are working with domain registrars and content delivery networks to get the malicious domains taken down and are submitting them to browser blocklists to prevent users from accessing them. They are also collaborating with other open-source platforms to speed up their response times to new threats. Additionally, PyPI is actively exploring ways to strengthen its two-factor authentication (2FA) to make it more resistant to these types of phishing attempts. This multi-pronged approach is crucial to protecting the integrity of the Python ecosystem.
Reference:
