The maintainers of the Python Package Index (PyPI) have warned of an ongoing phishing attack targeting users.
“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI,” wrote the maintainers in a tweet.
A phishing email is sent to users warning that PyPI is implementing a mandatory ‘validation’ process and that users must follow a link or risk their package being removed:
The maintainers have confirmed that the email is fake and that only removing projects “which violate our TOS or are in some way determined to be harmful (e.g., malware)” will ever be removed.
If PyPI users follow the link they’ll be taken to a page mimicking the index’s official login page to steal credentials. PyPI says that it has determined that some maintainers of legitimate projects have been compromised.
Malware has been published as the latest release for compromised projects so they’ve been removed from PyPI and the relevant maintainer accounts have been temporarily frozen.
“This malware is untypically large, ~63MB, (possibly in an attempt to evade AV detection) and has a valid signature (signed on August 23rd, 2022),” wrote Checkmarx researcher Aviad Gershon in an analysis.
(Photo by Scott Rodgerson on Unsplash)
Related: PyPI package installs cryptominer on Linux systems
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.