The Python Package Index, PyPI, issued a warning this week about an ongoing phishing campaign aimed at stealing developer credentials and injecting malicious updates into the repository’s packages.
“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.” states the warning.
The phishing messages are intended to trick recipients into clicking a link in order to comply with a new Google mandatory validation process for all packages. Recipients are urged to complete the validation process by September to avoid having their packages removed from PyPI.
When users click the link, they are taken to a Google Sites landing page that looks similar to PyPI’s login page. After obtaining the user account credentials, the attackers were able to push malicious updates to legitimate packages.
“The phishing attempt and the malicious packages are linked by the domain linkedopports[.]com, which appears in the malicious package code and also functions as the location to which the phishing site tries to send the stolen credentials.” reads the analysis published by Checkmarx.
This campaign’s malicious packages attempt to download and execute a file from the URL hxxps:/python-release[.]com/python-install.scr. The pack
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: