The Python Package Index, better known among developers as PyPI, has issued a warning about a phishing attack targeting developers. Researchers have stated that this is the first-ever known phishing campaign against the package repository. The attack has been relatively successful, wherein the hackers have compromised a few user accounts.
Diving into details
The phishers send security-themed emails creating a false sense of urgency.
The lure included informing targets that Google is executing a mandatory validation process on all packages. Failure to do so would result in the termination of their PyPI modules.
The malware is downloaded from a remote server. It is unusually large at approximately 63MB and has a valid signature.
Why this matters
This ongoing phishing attack is yet another indication of the huge amount of risk posed to the open-source ecosystem. These threat actors are capitalizing on open-source projects and libraries that are integrated with popular applications to conduct supply-chain attacks.
Other PyPI concerns
Checkmarx discovered that almost one-third of PyPI packages are vulnerable to a design feature that can enable a threat actor to automatically execute code.
A user had uploaded a dozen malicious Python packages to the repository as part of a typosquatting campaign targeting Counter-Strike 1.6 servers with DDoS attacks.
The bottom line
The attacks have led PyPI to announce that it is giving away free hardware security keys to critical project maintainers. However, PyPI packages have become a favorite target among cybercriminals, and developers are urged to implement all the necessary security measures.