The maintainers of the PyPI Python package index are warning developers and users about an ongoing phishing campaign targeting them that aims to steal credentials and has resulted in malicious updates to some packages.
The campaign begins with emails sent to developers, informing them that they need to login and validate their packages to prevent their packages from being removed from the index. PyPI is a central index of Python projects that enables users to find and download various files. Users who click on the link in the phishing emails are taken to a spoofed PyPI login page and asked to enter their credentials.
“Note that PyPI will NEVER remove a valid project from the index. PyPI only removes projects which violate our TOS or are in some way determined to be harmful (e.g., malware),” the PyPI maintainers said on Twitter Wednesday.
“We are unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes. Accounts protected by hardware security keys are not vulnerable.”
The phishing site is hosted on Google Sites and if a victim enters credentials, they are sent to a domain controlled by the attackers. That domain is also the one from which the malicious releases have been pushed. The attackers’ aim is to gain valid credentials for PyPI projects, add malicious releases to them, and potentially gain access to the machines of users who download the malicious releases. PyPI’s maintainers said they have identified at least two malicious releases that have been pushed by the attackers.
“We’re actively reviewing reports of new malicious releases, and ensuring that they are removed and the maintainer accounts restored. We’re also working to provide security features like 2FA more prevalent across projects on PyPI,” the maintainers said.
Project owners who believe they may have been compromised should reset passwords right away, reset any 2FA recovery codes, and check their PyPI account logs for unusual activity. The PyPI maintainers also are encouraging project owners to adopt hardware security keys for 2FA. Last month, PyPI began requiring 2FA for the maintainers of projects designated as critical, and is offering two free Titan security keys to those maintainers.
Last week, RubyGems began requiring 2FA for projects that have more than 180 million downloads, and GitHub has a similar requirement for anyone who performs git operations on its platform.