Read Time:2 Minute, 1 Second
The Python Package Index (PyPI) sounded the alarm about this campaign and advised developers to take precautions to protect their accounts. The campaign uses a fake PyPI website version to trick developers into inputting their credentials. Once the credentials have been acquired, the attackers can then use them to gain access to developer accounts and repositories.
This campaign highlights the importance of only inputting credentials into legitimate websites and being aware of phishing attempts. Developers should take care to protect their accounts and report any suspicious activity.
“This is the first known phishing assault on PyPI,” the repository’s maintainers tweeted. “We’re taking action to mitigate, but we urge all users to be vigilant about credential safety!”
The social engineering approach entails sending security-themed messages that generate a misleading sense of urgency by warning recipients. It says that Google is introducing a mandatory validation process for all packages. Developers must click on a link to validate them before the end of September, or their PyPI modules will be deleted.
If an unsuspecting developer falls for the scheme, they are taken to a landing page that looks identical to PyPI’s login page. This fake page is hosted on Google sites and steals any credentials entered before redirecting users to the legitimate site. Attackers then use the stolen information to break into accounts and add malware-infected files into packages.
The point of the modifications is to download a file from another server. “The sample of this malware is huge, at least 63MB (possibly to avoid detection), and has a valid signature (signed on August 23rd, 2022),” as noted by Checkmarx researcher Aviad Gershon,
“The maintainers’ accounts have been temporarily frozen while these packages are being removed from PyPI,” PyPI said. So far, three packages that have been affected are “deep-translator,” “exotel,” and “spam.” Also, it is said that several hundred typosquats have been taken down.
Following the phishing assault, PyPI announced it would change its hardware security key eligibility criteria. “Any maintainer of a crucial project, regardless of whether they currently use TOTP-based 2FA, is now qualified,” PyPI added.
This phishing campaign highlights the importance of only inputting credentials into legitimate websites and being aware of phishing attempts. Developers should take care to protect their accounts and report any suspicious activity. PyPI is taking action to mitigate the campaign, but all users are advised to be vigilant about credential safety.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
