Privacy Ninja

PyPI Packages Hijacked After Developers Fall for Phishing Emails

PyPI Packages Hijacked After Developers Fall for Phishing Emails

A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry.

Python packages ‘exotel’ and ‘spam’ are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email. 

Phishing campaign targets PyPI maintainers

Admins of the PyPI registry confirmed yesterday a phishing email campaign had actively been targeting PyPI maintainers after Django project board member Adam Johnson reported receiving a suspicious email.

The email urges developers, who have their packages published to PyPI, to undergo a mandatory “validation” process or risk getting their packages purged from the PyPI registry: 

Background: the phishing message claims that there is a mandatory ‘validation’ process being implemented, and invites users to follow a link to validate a package, or otherwise risk the package being removed from PyPI.— Python Package Index (@pypi) August 24, 2022

“The phishing site looks fairly convincing,” explained Johnson.

Also Read: 6 common phishing attack examples and how to protect against them

“But as it’s on Google Sites, there’s a floating ‘info’ button at the bottom left. Clicking this allows you to report the site as a phishing attack, which I’ve done.”

PyPI identifies compromised packages

Unfortunately, some developers did fall for the phishing emails and entered their credentials on the attacker’s webpage, leading to their creations getting hijacked and laced with malware.

Among the list of hijacked versions of packages are, ‘spam’ (versions 2.0.2 and 4.0.2) and ‘exotel’ (version 0.1.6). These versions were taken down from PyPI yesterday, as confirmed by BleepingComputer.

PyPI admins further reassured that they had identified and removed “several hundred typosquats” that match the pattern.

The malicious code inserted in the hijacked versions exfiltrated the user’s computer name to domain linkedopports[.]com and further downloaded and launched a trojan that BleepingComputer saw making requests to the same illicit domain.

The malicious releases follow a similar pattern, again using linkedopports[dot]com. At this time, the malicious releases that we are aware of are:
– exotel==0.1.6
– spam==2.0.2 and ==4.0.2

We’ve additionally taken down several hundred typosquats that fit the same pattern.— Python Package Index (@pypi) August 24, 2022

“We’re actively reviewing reports of new malicious releases, and ensuring that they are removed and the maintainer accounts restored,” says PyPI.

Also Read: Guarding against common types of data breaches in Singapore

“We’re also working to provide security features like 2FA more prevalent across projects on PyPI.”

Along with this, the registry admins shared a number of steps one could take to safeguard themselves from such phishing attacks, such as checking the URL of the page before providing their PyPI account credentials:

To verify that you’re not entering credentials in a phishing site, confirm that the URL in the address bar is and that the site’s TLS certificate is issued to Additionally, consider using a browser-integrated password manager.— Python Package Index (@pypi) August 24, 2022

This development follows May’s hijack of the popular PyPI library ‘ctx’ that had prompted PyPI admins to mandate two-factor authentication for maintainers of critical projects.

The repeated malware incidents and attacks involving open source software components have forced registry administrators to step up security across their platforms. It remains yet to be seen how well would the added burden of securing their projects, in addition to developing them, aligns with the expectations of an open source software developer.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us