PyPI said the latest phishing attacks on users are a continuation of a campaign that has been going on for several months. The attackers are using fake emails and domains that mimic real ones to steal logins and passwords.
PyPI said the latest phishing attacks on users are a continuation of a campaign that has been going on for several months. The attackers are using fake emails and domains that mimic real ones to steal logins and passwords.
“Unfortunately, there is an ongoing series of phishing attacks using obfuscated domain names and legitimate-looking emails,” PyPI security developer Seth Larson wrote in a blog post. “This is the same attack that PyPI saw a few months ago, targeting many other open source repositories, but with a different domain name. Based on this, we believe this type of campaign will continue in the future, using new domains.”
In the emails, the attackers ask victims to "verify" their addresses, allegedly for "account maintenance and security," threatening to close the account if they do not comply, TechRadar writes .
This sense of urgency and threat is a classic phishing tactic. The email redirects users to pypi-mirror.org, which has no connection to PyPI or the Python Software Foundation.
“If you have already followed the link and provided your credentials, we recommend that you change your PyPI password immediately,” Larson warned. “Check your account’s Security History for any suspicious activity. Report suspicious activity, such as potential phishing campaigns against PyPI, to [email protected].”
Phishing protection is both extremely complex and simple. In theory, it's enough to just be careful and not click on suspicious links. But in case your vigilance drops, users are advised to enable phishing-resistant two-factor authentication (2FA), for example, using hardware keys.
