A phishing campaign targets the maintainers of the PyPI project

PyPI Python Package Index maintainers are warning developers and users of an ongoing phishing campaign targeting them that aims to steal credentials and has resulted in malicious updates to some packages.

The campaign begins with emails sent to developers, informing them that they must log in and validate their packages to prevent their packages from being removed from the index. PyPI is a central index of Python projects that allows users to search and download various files. Users who click the link in the phishing emails are redirected to a spoofed PyPI login page and prompted to enter their credentials.

“Note that PyPI will NEVER remove a valid project from the index. PyPI only removes projects that violate our terms of service or are otherwise deemed harmful (e.g. malware)” , the managers of PyPI said on Twitter Wednesday.

“We are unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes. Accounts protected by hardware security keys are not vulnerable.

The phishing site is hosted on Google Sites and if a victim enters their credentials, they are sent to a domain controlled by the attackers. This domain is also the one from which the malicious versions were pushed. The attackers’ goal is to obtain valid credentials for PyPI projects, add malicious versions to them, and potentially gain access to the machines of users who download the malicious versions. PyPI officials said they identified at least two malicious builds that were pushed by the attackers.

“We actively investigate reports of new malicious builds and ensure they are removed and the maintainer’s accounts are restored. We are also working to provide security features such as 2FA more prevalent in projects on PyPI,” the officials said.

Project owners who believe they have been compromised should immediately reset passwords, reset all 2FA recovery codes, and check their PyPI account logs for any unusual activity. PyPI officials are also encouraging project owners to adopt hardware security keys for 2FA. Last month, PyPI began requiring 2FA for maintainers of projects designated as critical and is offering two free Titan security keys to such maintainers.

Last week, RubyGems started requiring 2FA for projects that have over 180 million downloads, and GitHub has a similar requirement for anyone performing git operations on its platform.

Comments are closed.