The Python Software Foundation team is once again warning developers who use the Python Package Index (PyPI) about a phishing campaign. The attackers are using domain spoofing to harvest credentials.
This campaign continues the attacks on developers carried out in July of this year. Users are once again receiving emails asking them to confirm their email address for security reasons. Otherwise, the accounts are allegedly at risk of being locked due to lack of action.
“These emails are fake, and the link in them points to pypi-mirror[.]org — a domain that does not belong to PyPI or the PSF (Python Software Foundation),” warns Seth Larson, a staff security engineer at the PSF.
Larson reminds that enabling phishing-resistant multi-factor authentication (MFA) helps PyPI maintainers reduce the risks associated with such phishing attacks. The expert also advises never clicking links in emails and using password managers that automatically fill in credentials based on domain names.
Those who have already clicked malicious links in such emails and entered their credentials on a fraudulent site are advised to immediately change their passwords, review their account security history for anomalies, and report any suspicious activity.
The attackers’ goal is to steal victims’ credentials, which will then be used in subsequent attacks. For example, to compromise packages already published on PyPI and infect them with malware, as well as to publish new malicious packages.
It is worth noting that maintainers of packages on npm were recently targeted by similar phishing attacks: they were asked to update their MFA information to avoid account suspension.
This malicious campaign proved quite successful and affected multiple maintainers, including Josh Junon (also known as Qix), who maintains 18 packages with more than 2.5 billion weekly downloads.
As a result, the compromise of Junon’s account led to the publication of dozens of malicious package versions and was called the largest supply-chain attack in npm’s history.