Scammers have tricked PyPI Python package maintainers into giving away their login credentials, then used the passwords to log in and taint the packages with malware, experts have claimed.
The news was confirmed by Django project board member Adam Johnson, after being attacked himself, with "hundreds” of packages being affected.
According to the report, an unknown threat actor sent out phishing emails to package maintainers, claiming they need to “validate” themselves, otherwise their packages would be removed from the platform. Johnson said clicking on the link in the email sent the targets to a “fairly convincing” phishing site.
Hundreds of tainted packages
Some maintainers fell for it, the report says, giving their login credentials to the fraudsters. They used that information to hijack “several hundreds” packages, which were later removed from the platform, it was confirmed. Among the malicious things the code does is exfiltrating the endpoint's computer name to domain linkedopports[.]com and downloading a trojan.
"We're actively reviewing reports of new malicious releases, and ensuring that they are removed and the maintainer accounts restored," says PyPI. "We're also working to provide security features like 2FA more prevalent across projects on PyPI."
PyPI, the world’s largest Python code repository, with more than 600,000 active users, has been under a barrage of attacks lately. Less than a month ago, researchers found almost a dozen malicious packages, all “typosquats”. Typosquatting is a malware distribution technique in which the malicious package has a name almost identical to the authentic one, carrying only a small “typo”, which might trick developers into downloading and using that one, instead of the authentic one.
Just last week, another dozen malicious packages were discovered, whose goal was to steal sensitive data stored in browsers, install backdoors into the Discord client, steal authentication tokens, and payment data.
- These are the best firewalls around
Via: BleepingComputer
