A maintainer of the Python Package Index (PYPI) repository has issued a warning about an ongoing phishing attack targeting users to redirect them to forge Pypi sites.
Attacks send an email message with a subject that sends a subject from the email address “(pypi) Email Verification” noreply@pypj(.) org (Note that the domain is not the case.”Pypi (.) org“).
“This is not a breach of Phi Phi itself, but a phishing attempt to utilize the trusts held by trust users in Phi Phi,” Phi Phi administrator Mike Feedler said in a post Monday.
An email message tells the user to follow the link to verify their email address. This leads to replica phishing sites designed to impersonate Pypi and harvest credentials.
However, a clever twist makes the victim think that when login information is entered into a fake site, the request is routed to a legal PYPI site, and when the attacker is actually given their qualifications, it makes the victim think that nothing is unfair in reality. This method is difficult to detect because there are no error messages or logins that have failed to log in to trigger suspicion.
Pypi said it is considering various ways to handle the attack. Meanwhile, it encourages users to inspect their browser URL before signing in, and avoids clicking on the link if they have already received such emails.
If you’re not sure if email is legal, a quick check of your domain name (letter by character) can help. Tools such as browser extensions that highlight validated URLs or password managers that are autofilled only with known domains can add a second layer of defense. These types of attacks are not just cheating on individuals. They aim to access accounts that may publish or manage widely used packages.
“If you already have clicked a link to provide your credentials, we recommend that you change your password immediately in Pypi,” Fiedler says. “Please inspect your account’s security history for unexpected reasons.”
It is not clear at the moment who is behind the campaign, but the activity has a noticeable similarity with recent NPM phishing attacks that employ the type cut domain “npnjs(.)com” (“npmjs(.)com”) sending similar email verification emails to capture user authentication emails.
The attack compromised seven different NPM packages, distributing malware called Scavenger Stealer, and collecting sensitive data from web browsers. In one case, the attack paved the way for a JavaScript payload that captured system information and environment variables and extracted details over a WebSocket connection.
Similar attacks have been seen in NPM, GitHub and other ecosystems, with trust and automation playing a central role. Typeskirting, spoofing, and reverse proxy phishing are all tactics in this growing category of social engineering that leverage the way developers interact with the tools they rely on every day.
