"The worry here is that a developer would fall for the phish and enter their credentials into the fake domain, thus handing their credentials over to the criminals and enabling them to hijack legitimate PyPI accounts owned by the same developer. With this access, miscreants could inject malware into the compromised maintainer's existing Python packages, or even publish entirely new malicious ones, which would then run on users' machines and be capable of stealing secrets, credentials, cryptocurrency wallets, and other sensitive data."
"PyPI is extremely widely used, hosting over 681,400 projects and more than 15 million files, making it a target for a massive supply chain attack along the lines of the two npm attacks earlier this month. The foundation's security developer-in-residence Seth Larson on Tuesday said the latest phish, sent via email, asks PyPI users to "verify their email address" for "account maintenance and security procedures." Failing to do so, it says, may result in a suspended account."
""This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF," Larson warned via the PyPI blog. "If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately," he said, adding that users should also review their accounts' security history for anything unusual, and report suspicious activity, such as potential phishing emails, to security@pypi.org."
PyPI users are being targeted by phishing emails that direct victims to a fake site (pypi-mirror.org) requesting email verification under threat of account suspension. The platform hosts over 681,400 projects and 15 million files, making compromised maintainer accounts a powerful vector for supply-chain attacks akin to recent npm incidents. Compromised credentials can allow attackers to hijack accounts, modify existing packages or publish malicious ones that can steal secrets, credentials, and cryptocurrency. Users who entered credentials are urged to change passwords immediately, review account security history, and report suspicious activity to security@pypi.org.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]