The Python Software Foundation (PSF) is warning developers about a new wave of phishing attacks. The attacks use a fake Python Package Index (PyPI) website to steal user credentials.
The phishing emails ask developers to verify their email address for "account maintenance and security procedures," threatening to suspend their accounts. The emails then redirect them to a fraudulent website at pypi-mirror[.]org.
If you have already clicked the link and entered your credentials, the PSF recommends changing your password on the official PyPI website immediately. You should also check your account's security history for any unusual activity.
The goal of the attackers is to steal credentials that can be used to compromise existing Python packages with malware or to publish new malicious ones. These attacks are part of a larger phishing campaign that has also used the domain pypj[.]org.
The PSF advises package maintainers to never click on links in emails and to use password managers that autofill credentials based on domain names. It also recommends using phishing-resistant two-factor authentication methods, such as hardware keys. Users can help stop these campaigns by reporting malicious domains to registrars.
Last week, the Python Software Foundation also invalidated all PyPI tokens that were stolen in the GhostAction supply chain attack in early September. The organization confirmed that the stolen tokens were not used to publish malware.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
