PyPI Packages Hijacked After Developers Fall for Phishing Emails
A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry.
Python packages ‘exotel’ and ‘spam’ are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email.
Phishing campaign targets PyPI maintainers
Admins of the PyPI registry confirmed yesterday a phishing email campaign had actively been targeting PyPI maintainers after Django project board member Adam Johnson reported receiving a suspicious email.
The email urges developers, who have their packages published to PyPI, to undergo a mandatory “validation” process or risk getting their packages purged from the PyPI registry:
Background: the phishing message claims that there is a mandatory ‘validation’ process being implemented, and invites users to follow a link to validate a package, or otherwise risk the package being removed from PyPI. pic.twitter.com/r0JOgT98Yg— Python Package Index (@pypi) August 24, 2022
“The phishing site looks fairly convincing,” explained Johnson.
“But as it’s on Google Sites, there’s a floating ‘info’ button at the bottom left. Clicking this allows you to report the site as a phishing attack, which I’ve done.”
PyPI identifies compromised packages
Unfortunately, some developers did fall for the phishing emails and entered their credentials on the attacker’s webpage, leading to their creations getting hijacked and laced with malware.
Among the list of hijacked versions of packages are, ‘spam’ (versions 2.0.2 and 4.0.2) and ‘exotel’ (version 0.1.6). These versions were taken down from PyPI yesterday, as confirmed by BleepingComputer.
PyPI admins further reassured that they had identified and removed “several hundred typosquats” that match the pattern.
The malicious code inserted in the hijacked versions exfiltrated the user’s computer name to domain linkedopports[.]com and further downloaded and launched a trojan that BleepingComputer saw making requests to the same illicit domain.
The malicious releases follow a similar pattern, again using linkedopports[dot]com. At this time, the malicious releases that we are aware of are:
– spam==2.0.2 and ==4.0.2
We’ve additionally taken down several hundred typosquats that fit the same pattern. pic.twitter.com/MjvhWGNAz3— Python Package Index (@pypi) August 24, 2022
“We’re actively reviewing reports of new malicious releases, and ensuring that they are removed and the maintainer accounts restored,” says PyPI.
“We’re also working to provide security features like 2FA more prevalent across projects on PyPI.”
Along with this, the registry admins shared a number of steps one could take to safeguard themselves from such phishing attacks, such as checking the URL of the page before providing their PyPI account credentials:
To verify that you’re not entering credentials in a phishing site, confirm that the URL in the address bar is https://t.co/diAe0xWm0R and that the site’s TLS certificate is issued to https://t.co/diAe0xWm0R. Additionally, consider using a browser-integrated password manager. pic.twitter.com/KRG0JK8NQU— Python Package Index (@pypi) August 24, 2022
The repeated malware incidents and attacks involving open source software components have forced registry administrators to step up security across their platforms. It remains yet to be seen how well would the added burden of securing their projects, in addition to developing them, aligns with the expectations of an open source software developer.