Phishing Campaign Targets PyPI Users to Distribute Malicious Code

  /     /     /  
Publicated : 23/11/2024   Category : security


Phishing Campaign Targets PyPI Users to Distribute Malicious Code


The first-of-its-kind campaign threatens to remove code packages if developers don’t submit their code to a validation process.



A phishing campaign is targeting users of the
Python Package Index (PyPI)
by threatening to remove their code packages if they dont put it through a bogus validation process, PyPI administrators have warned.
PyPI administrators are alerting users about the repository — which enables Python developers to publish and find code packages to use for building software — of emails that claim they are implementing a mandatory validation process, they said in
a series of tweets
outlining how the scam works.
The messages invite PyPI users to follow a link to perform the validation or otherwise risk the package being removed from PyPI. The administrators assured users in a post that they would never remove a valid project from the index, and they only take down projects that are found to be malicious or violate the companys terms of service.
The campaign, which the administrators said is the first of its kind, steals users credentials to load compromised packages to the repository. The administrators noted that the phishing campaign does not
target code repositories
as a way to spread malware through the software supply chain.
The attackers behind the scam already have successfully stolen credentials from several PyPI users and uploaded malware into the projects they maintain to serve as the latest release for those projects, according to PyPI.
These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen, according to PyPIs Twitter post.
According to PyPI, the initial phishing message dangles the lure that Google is behind the validation process of new and existing PyPI packages. Ironically, the message claims the new process is due to a surge in malicious packages being uploaded to the PyPI.org domain.
The link takes the user to a phishing site that mimics PyPIs login page, which steals any credentials entered through a phishing site, sites[dot]google[dot]com/view/pypivalidate. The data is sent to a URL on the domain linkedopports[dot]com, according to PyPI.
PyPI administrators have been unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes but noted that accounts protected by hardware security keys are not vulnerable to the attack.
Repository administrators are in the process of actively reviewing reports of new malicious releases and ensuring that they are removed so the accounts that have been compromised are restored and their maintainers can continue to use PyPI.
The campaign bucks the trend where threat actors are targeting public code repositories to distribute malware to the software supply chain. Flawed code can be a goldmine for threat actors, expansively widening the impact of malicious campaigns when compromised code is built into numerous applications or websites without developers or users knowing.
The
Log4J case
— in which a flaw in a widely used Java logging tool affected millions of applications, many of which
are still vulnerable
— brought this to light in a big way, and threat actors recently have ramped up attacks on code repositories as a way to spread malicious code quickly through the supply chain.
Earlier this month,
PyPI removed 10 malicious code packages
from the registry after a security vendor informed it about the issue. Threat actors targeted the registry by embedding malicious code into the
package installation script
.
PyPI has been aware of the target on its back and in the past few years has enacted
several security initiatives
to better protect its users.
These measures include the
addition of two-factor authentication (2FA)
as a login option and API tokens for uploading software to the registry, a
dependency resolver
to ensure the pip package installer installs the right versions of package dependencies, and the
creation of databases
of known Python vulnerabilities in PyPI projects.
PyPI is currently working to make 2FA more prevalent across projects on the repository, administrators said, adding that PyPI users with 2FA already implemented should reset recovery codes if they think that their account has been compromised.
To avoid being phished altogether, PyPI users should confirm that the URL in the address bar of any email purporting to come from PyPI is http://pypi.org and that the sites TLS certificate is issued to http://pypi.org. Users also should consider using a browser-integrated password manager, administrators tweeted.
Enabling 2FA by using hardware security keys or WebAuthn 2FA also can help PyPI users avoid being compromised by phishing attempts, they said. In fact, to help facilitate better protection, the repository currently offers free hardware keys for maintainers of the top 1% of projects.
PyPI advised any users who think theyve been compromised to contact [email protected] with details about the sender email address and URL of the malicious site to help administrators to respond to this issue.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Phishing Campaign Targets PyPI Users to Distribute Malicious Code