The Python Package Index, better known to developers as PyPI, issued a warning about a phishing attack targeting developers using the service.
The community-run organization said it was the first known phishing attack against PyPI users. And the attack was unfortunately somewhat successful, resulting in some users’ accounts being compromised.
PyPI is an online package registry where Python programmers can upload code modules for their applications and can host software libraries for the benefit of the Python community.
Software supply chain attacks have increased in recent years, and package registries as part of that chain have become frequent targets of online attacks, as the hijacking of a package maintainer account or the ability to modify a hosted package can make malware distribution much more important. Easier.
“The phishing message claims that a mandatory ‘validation’ process is being implemented and prompts users to follow a link to validate a package or risk the package being removed from PyPI,” said the organization. by Twitteradding that it never removes valid projects from the registry, only those that violate the terms of service.
The phishing speech is convincingly crafted as many popular package registries such as npm, RubyGems and PyPI have actually added security requirements such as using multi-factor authentication over the past few months and published details on the changes. In this context, an additional validation process is more likely to seem plausible.
Coincidentally, criminals have stepped up their efforts to circumvent multi-factor authentication. Last November, security firm Sygnia reported seeing an increase in phishing attacks “that use a Man-in-the-Middle technique to overcome 2FA”.
The attack on PyPI follows a recently disclosed phishing campaign dubbed Oktapus that targeted employees of authentication firm Okta several months ago. With the credentials and 2FA codes obtained, phishers hit marketing company Klaviyo, messaging service Mailchimp, and communications service Twilio, among others. It may be worth noting that the PyPI phishing email appears to be from a Mailchimp address.
According to PyPI, the phishing link deployed in the campaign leads to a website that mimics the organization’s login page and steals all credentials entered by the victim. PyPI doesn’t know if the data-stealing site is able to relay TOTP-based two-factor codes, but says accounts protected by hardware security keys are safe.
The phishing page hosted by Google Sites at
sites[dot]google[dot]com/view/pypivalidatesend stolen credentials to domain
linkedopports[dot]com. Or rather he did since the page was deleted.
“We have further determined that some maintainers of legitimate projects have been compromised and that malware has been released in the latest version of these projects,” said PyPI.
“These versions have been removed from PyPI and the maintainers’ accounts have been temporarily frozen.”
The organization has identified two packages with malicious versions:
Additionally, several hundred associated typosquatting attacks have been removed.
Malicious builds follow a similar pattern, again using related opportunities[dot]com. Currently, the malicious versions we are aware of are:- exotel==0.1.6- spam==2.0.2 and ==4.0.2 We have additionally removed several hundred typosquats that match the same pattern. pic.twitter.com/MjvhWGNAz3
– Python package index (@pypi) August 24, 2022
Following the phishing campaign, PyPI announced that it was distributing free hardware security keys to maintainers of critical projects – the top 1% of downloaded projects over the past six months. There are approximately 3,500 eligible projects and although on October 1, eligible maintainers will be able to redeem a promo code for two free Titan Security Keys (USB-C or USB-A), including free shipping. ®