- Developers who published projects on PyPI with their email in package metadata are being targeted
- They are asked to “verify” their email address with a fake PyPI platform
- The “verification” process relays login credentials to attackers
Python developers are being targeted with dangerous phishing attacks, The Python Software Foundation (PSF) has warned .
PSF said threat actors were actively targeting developers who have published projects on PyPI with their email in package metadata. These developers are receiving emails asking them to “verify” their email address on the platform, providing a link to do so.
Clicking on the link redirects the victims to a page that looks seemingly identical to the original one – the URL for the original one is PyPI.org, and for the spoofed one – PyPJ.org, a difference small enough to pass under some people’s radars. This type of fraud is called “typosquatting” and is often used in attacks.
Disrupting the scam
The site looks almost the same as the real thing, and prompts the users to log into their accounts. However, sharing the credentials just relays them to the attackers, who can then log into the actual site, and tamper with the packages found there.
PSF is a nonprofit organization that manages and supports the Python programming language, and operates The Python Package Index (PyPI.org), the most popular package index for the programming language in the world.
Tainting legitimate PyPI packages with malware is also a common occurrence. Many Python developers trust the platform, and use the code found there in various projects. By downloading malicious packages, they can grant attackers access to their projects, and possibly even sensitive company files.
To tackle the impersonation campaign, PyPI admins added a banner to the homepage, and have reached out to CDN providers and name registrars to terminate the phishing sites.
Python developers who received such emails are advised not to click on any links, and just delete the emails immediately. Those who are unsure if the email they received is legitimate or not are advised to open up PyPi directly in their browser, instead of clicking any links in the email.
Via BleepingComputer
