Skip links

PyPI warns of first-ever phishing campaign against its users

The Python Package Index, better known among developers as PyPI, has issued a warning about a phishing attack targeting developers who use the service.

The community-run organization said this is the first known phishing attack against PyPI users. And the attack has unfortunately been somewhat successful, resulting in the compromise of some users’ accounts.

PyPI is an online package registry where Python programmers can download code modules for their applications and can host software libraries for the benefit of the Python community.

Software supply chain attacks have surged in the past few years and package registries, as part of that chain, have become frequent targets for online attacks because hijacking a package maintainer account, or being able to alter a hosted package, can make further malware distribution much easier.

“The phishing message claims that there is a mandatory ‘validation’ process being implemented, and invites users to follow a link to validate a package, or otherwise risk the package being removed from PyPI,” the organization said via Twitter, adding that it never removes valid projects from the registry, only those violating terms of service.

The phishing pitch is convincingly crafted because many of the popular package registries like npm, RubyGems, and PyPI in fact have been adding security requirements like the use of multi-factor authentication over the past few months and publishing details about the changes. In that context, a further validation process is more likely to seem plausible.

Coincidentally, miscreants have stepped up efforts to work around multi-factor authentication. Last November, security firm Sygnia reported seeing an increase in phishing attacks “that utilize a Man-in-the-Middle technique to overcome 2FA.”

The attack against PyPI follows a recently disclosed phishing campaign dubbed Oktapus that targeted employees of authentication firm Okta several months ago. With the credentials and 2FA codes gained, the phishers hit marketing firm Klaviyo, email service Mailchimp, and communications service Twilio, among others. It’s perhaps noteworthy that the PyPI phishing email appears to have come from a Mailchimp address.

According to PyPI, the phishing link deployed in the campaign leads to a website that mimics the organization’s login page and steals any credentials the victim enters. PyPI isn’t sure whether the data theft site is capable of relaying TOTP-based two-factor codes but says accounts protected with hardware security keys are safe.

The Google Sites-hosted phishing page, at sites[dot]google[dot]com/view/pypivalidate, sends the stolen credentials to the domain linkedopports[dot]com. Or rather it did since the page has been taken down.

“We have additionally determined that some maintainers of legitimate projects have been compromised, and malware published as the latest release for those projects,” said PyPI.

“These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen.”

The organization identified two package with malicious versions:

  • exotel==0.1.6
  • spam==2.0.2 and ==4.0.2

Additionally, several hundred of related typosquatting attacks have been removed.

As a result of the phishing campaign, PyPI announced it is giving away free hardware security keys to the maintainers of critical projects – the top 1 percent of projects by downloads over the past six months. There are about 3,500 qualifying projects and though October 1 eligible maintainers will be able to redeem a promo code for two free Titan Security Keys (either USB-C or USB-A), including free shipping. ®