Hackers are using a fake phishing site impersonating the legitimate PyPI website to steal user account credentials. The primary objective behind the campaign is unknown, but the hackers could use the stolen credentials to upload malicious packages to the PyPI repository without disclosing their identities.
PyPI admin Mike Fiedler confirmed the campaign, assuring users that it isn’t an attack on PyPI and the repository hasn’t been breached. According to Mike, “this is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI.”
The phishing website uses typosquatting to make its domain look like the original. Instead of the official “pypi.org” the fake site is hosted on “pypj.org”. Users who have recently published their projects on PyPI with their email in the package metadata are receiving emails titled “[PyPI] Email verification” from noreply@pypj.org.
This email prompts users to verify their email address on the phishing website. Once a user clicks the link included in the email, they’re prompted to log in, and the requests are passed on to the original PyPI website. This tricks the user into believing that they’re logging into the official website, while sending their credentials to the attackers.
Several security measures have been put in place to warn users of the phishing attempt. The PyPI website has a banner on the homepage warning users of the phishing attempt, and the team has already sent trademark and abuse notifications to CDN providers and domain registrars to take down the website.
Python developers working with PyPI are advised to verify the URL before entering their credentials on a login page. Additionally, anyone who has uploaded a project to PyPI recently is strongly advised to change their password as soon as possible.
In the News: Apple patches Safari bug; Already exploited in Chrome
