The Python Package Index (PyPI) software repository disclosed yesterday a wave of ongoing phishing attacks aimed at Python project maintainers.
Perpetrators are likely trying to breach the maintainers’ accounts, take them over, and use them to distribute malicious updates through legitimate packages.
“Today we received reports of a phishing campaign targeting PyPI users,” reads a tweet on the Python Package Index Twitter account. “This is the first known phishing attack against PyPI. We’re publishing the details here to raise awareness of what is likely an ongoing threat.”
The tweeted announcements continue to describe the phishing campaign, which involves a fake mandatory validation process for users. The malicious message adds a sense of urgency to the situation by threatening the removal of unverified packages from the PyPI repository.
In the thread, PyPI disclosed that it will never remove valid projects from the index and will only do so with ones found to be harmful or violate the platform’s Terms of Service.
Upon accessing the faux validation link, users would be redirected to a phishing site disguised as PyPI’s login page, where they would get their credentials stolen. According to the advisory, accounts backed by hardware security keys are not vulnerable to the attack, but it’s unclear if the phishing site could relay time-based one-time passwords (TOTP) two-factor codes.
The software repository’s team found that the threat actors compromised a few users, injected malware into their legitimate packages, and published it as the projects’ latest releases. In response, PyPI temporarily froze the maintainer accounts and removed the malicious releases from the platform.
Last month, PyPI enforced mandatory two-factor authentication (2FA) for critical Python project maintainers and offered free hardware security keys to some of them.
The repository recommends users enable 2FA, ideally via hardware security keys or WebAuthn, and use a browser built-in password manager. Furthermore, if prompted to enter their credentials, users should check that the “URL in the address bar is pypi.org and that the site’s TLS certificate is issued to pypi.org.”
Specialized software such as Bitdefender Ultimate Security could steer you clear of phishing attempts with features like:
- Continuous web monitoring
- Anti-phishing module that blocks websites mimicking trustworthy ones
- Advanced filtering system that warns you whenever the website you visit may try to deceive you
- Web filtering module that blocks suspicious links and warns you about potentially harmful websites