The Python Package Index (PyPI), the default platform for Python’s package management tools, is warning users of a fresh phishing campaign relying on domain confusion to harvest credentials.
The attack, a continuation of a campaign conducted in July, involves fraudulent messages asking users to verify their email address for security purposes, and claiming that accounts may be suspended due to lack of action.
“This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF [Python Software Foundation],” PSF security developer-in-residence Seth Larson warns.
Setting up phishing-resistant multi-factor authentication (MFA), Larson explains, helps PyPI maintainers mitigate the risks associated with phishing attacks.
Those who clicked on the links in these emails and shared their credentials on the fake website, however, are advised to immediately rotate their credentials, check their account’s security history for anomalies, and report suspicious activity.
The campaign echoes a recent phishing attack targeting NPM package maintainers with emails asking them to update their MFA information to avoid account suspension.
The NPM attack successfully tricked several maintainers, including Josh Junon (Qix), who maintains 18 packages with over 2.5 billion weekly downloads, resulting in dozens of malicious versions of the compromised packages being pushed to the NPM registry.
Over the past years, threat actors have been observed increasingly targeting the open source ecosystem for malware distribution and large-scale supply chain attacks.
“Threat actors are finding different ways to steal credentials for cloud accounts essential for enterprises to assemble and develop software for their respective customers. The tactics used enable threat actors to identify many more target enterprises (customers) and monetize the compromise in several ways,” Saviynt chief trust officer Jim Routh said.
“Enterprises have an opportunity to more effectively manage the risk of this type of credential compromise through advanced authentication methods, cloud account access management methods, and privileged user management using continuous validation techniques,” Routh added.
Related: GitHub Boosting Security in Response to NPM Supply Chain Attacks
Related: Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack
Related: AI Supply Chain Attack Method Demonstrated Against Google, Microsoft Products
Related: Watch on Demand: Supply Chain & Third-Party Risk Security Summit
