Article Details

New string of phishing attacks targets Python developers. If you recently got an email asking you to verify your credentials to a PyPI site, better change that password. The Python Software Foundation warned users of a new string of phishing attacks using a phony Python Package Index (PyPI) website and asking victims to verify their account or face suspension, and advised anyone who did provide their credentials to change their password "immediately." PyPI is extremely widely used, hosting over 681,400 projects and more than 15 million files, making it a target for a massive supply chain attack along the lines of the two npm attacks earlier this month. The foundation's security developer-in-residence Seth Larson on Tuesday said the latest phish, sent via email, asks PyPI users to "verify their email address" for "account maintenance and security procedures." Failing to do so, it says, may result in a suspended account. "This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF," Larson warned via the PyPI blog.  The worry here is that a developer would fall for the phish and enter their credentials into the fake domain, thus handing their credentials over to the criminals and enabling them to hijack legitimate PyPI accounts owned by the same developer.  With this access, miscreants could inject malware into the compromised maintainer's existing Python packages, or even publish entirely new malicious ones, which would then run on users' machines and be capable of stealing secrets, credentials, cryptocurrency wallets, and other sensitive data. "If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately," he said, adding that users should also review their accounts' security history for anything unusual, and report suspicious activity, such as potential phishing emails, to security@pypi.org. These attacks are a continuation of a July campaign that targeted PyPI users with a fake domain - pypj[.]org instead of pypi.org - according to Larson. "Judging from this, we believe this type of campaign will continue with new domains in the future." The attack vector resembles that of two npm attacks in recent weeks. The first npm attack, while ultimately unsuccessful, also started with a phishing email asking developers to authorize a two-factor authentication reset, thus allowing criminals to hijack developers' accounts and poison dozens of npm packages. Treat it as a credible attempt to weaponize software distribution and not just another phishing wave The suspected attackers had more luck with the second round, in which they used a self-propagating worm to compromise hundreds of npm packages. Last year, more than 170,000 users were affected by a similar supply-chain attack that used various techniques to distribute malware-laced PyPI packages. "This is a high-severity supply chain risk," Jason Soroko, a senior fellow at certificate lifecycle management provider Sectigo, said in an email to The Register about the latest PyPI phishing campaign.  "A single compromised maintainer account can seed malware into widely used packages and the blast radius extends to CI systems and production," he added, noting the lookalike domain likely to trick even "seasoned developers."  "Because open source ecosystems are highly transitive, one tainted update can cascade through thousands of downstream builds in hours," Soroko said. "Treat it as a credible attempt to weaponize software distribution and not just another phishing wave."