The Python Software Foundation warned users this week that threatened actors are trying to steal their credentials in fishing attacks using a fake python package index (PyPI) website.
Pypi is a repository for Python packages, accessible on pypi.org, which provides a centralized platform to distribute and install the developers to the third-party software library. It hosts hundreds of thousands of packages and is a default source for package management devices of the python.
“Pyypi has not been hacked, but users are being targeted by a phishing attack, which tries to log in to a fake PyPI site. In the last few days, users who have published the project on PyPI with their emails on Pyypi may receive an email from email address noreply@pypj.org,” PYPI administrator Mike Fidler warns,
“This is not a safety violation of the PyPI, but a fishing effort that trusts users who are in the PyPI. Email instructs users to follow a link to verify their email address, which leads to a fishing site that looks like a Pypi, but does not have an official site.”
After opening a malicious website, targeted users will be motivated to sign in, with requests to use the PyPI back to believe that they have logged into the PyPI.
However, the attackers are instead of harvesting their credentials, which will probably be used to infect python packages in future attacks that they have uploaded pipi with malware or to upload new malicious packages on the platform.
PyPI Admins have also added a banner to the PyPI homepage, warning users of this phishing attack, and are now working to find a way to disrupt this ongoing campaign.
“We are waiting for CDN providers and names registrars, which are to respond to trademarks and misuse information, which we have sent them about the fishing site,” said Fidler.
Python developers and Pyypi users who receive these fishing emails are advised not to click on embedded link and remove the email immediately.
Those who have already recorded their credentials on the Pypj (.) Org Fishing Site, should immediately change their PyPI password and inspect the safety history of their accounts for suspicious or unexpected activity.
In February, the Python Software Foundation introduced the ‘Project Archival’, a new system designed to help the PyPI publishers store its projects, showing users that no updates are required.
Pyypi was also forced to temporarily suspend user registration and construction of new projects in March 2024, due to a malware campaign associated with danger actors, uploading hundreds of new malicious packages in the form of legitimate projects.
CISOS knows how to purchase a board begins with a clear, strategic approach how the cloud safety runs the business price.
This helps to introduce the risk, impact and priorities to the free, editable board report deck deck security leaders in clear business terms. Convert security updates into meaningful conversations and take fast decision in boardroom.
