Python developers targeted with new password-stealing phishing attacks - here's how to stay safe

News
By published

A major phishing campaign is still ongoing, experts warn

Illustration of a hooked email hovering over a mobile phone
(Image credit: Getty Images)
  • PyPI warns phishing attacks will persist using fake domains and urgent email tactics
  • Victims are tricked into verifying accounts via typosquatted sites like pypi-mirror.org
  • Users and maintainers urged to adopt phishing-resistant 2FA and domain-aware password managers

Phishing attacks against PyPI users and maintainers are going to continue, the foundation is warning, as it urged members to tighten up on security and remain vigilant.

A new blog post, published by the foundation's security developer-in-residence, Seth Larson,noted the most recent attacks are a continuation of a months-long campaign that uses convincing emails and typosquatted domains to steal people’s login credentials.

“Unfortunately the string of phishing attacks using domain-confusion and legitimate-looking emails continues," Larson wrote. "This is the same attack PyPI saw a few months ago and targeting many other open source repositories but with a different domain name. Judging from this, we believe this type of campaign will continue with new domains in the future.”

How to stay safe

In the emails, the victims are asked to “verify” their addresses for “account maintenance and security procedures”, and threatened with account closure if they don’t comply.

This sense of urgency and threat is typical for a phishing email, which redirects victims to pypi-mirror.org, a domain not owned by PyPI or the Python Software Foundation.

“If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately,” Larson warned. “Inspect your account's Security History for anything unexpected. Report suspicious activity, such as potential phishing campaigns against PyPI, to security@pypi.org.”

Phishing is both extremely difficult, and extremely easy to defend against. In theory, just using common sense and thinking before clicking should suffice in most cases. However, just in case of a drop in focus, users are advised to use phishing-resistant 2FA such as hardware tokens.

Maintainers, on the other hand, should use a password manager which auto-fills based on domain name. If auto-fill isn’t working when it usually does, that is a huge red flag. Phishing-resistant 2FA is also recommended.

Via The Register

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.