Identity, Phishing, DevOps, Decentralized identity and verifiable credentials, Application security

Phishing campaign targets PyPI users to steal credentials

Homepage of Python website on the display of PC

(Adobe Stock)

The Python Software Foundation (PSF) on Sept. 23 warned users to reset their credentials after discovering that a new phishing campaign targeting the Python Package Index (PiPI) was tricking users into linking to a fake page that asks victims to reset their credentials.

In a blog post, Seth Larson, security developer-in-residence at PSF, explained that the phishing email asks potential victims to verify their email address for “account maintenance and security procedures” with a note warning the victim that their account may be suspended.

The link then goes to a fake page — pypi.mirror.org — a domain not owned or operated by PyPI or the PSF.

“This is the same attack PyPI saw a few months ago and it’s targeting many other open source repositories, but with a different domain name,” wrote the PSF’s Larson. “Judging from this, we believe this type of campaign will continue with new domains in the future.”

Jason Soroko, senior fellow at Sectigo, said this case involving PyPI was a high-severity supply chain risk. Soroko added that a single compromised maintainer account can seed malware into widely used packages and the blast radius extends to CI systems and production.

“The lure uses convincing language and lookalike domains that defeat quick visual checks, so even seasoned developers can be caught,” said Soroko. “Because open-source ecosystems are highly transitive, one tainted update can cascade through thousands of downstream builds in hours. Treat it as a credible attempt to weaponize software distribution, and not just another phishing wave.”

Shane Barney, chief information security officer at Keeper Security, said while attackers will always find new domains to mimic, organizations can make those attempts far less effective. The goal for security leaders isn’t to chase every domain, but to build resilience so one bad click doesn’t become a breach.

“That starts with enforcing phishing-resistant MFA, like YubiKeys, for developers and admins,” said Barney. “Pairing that with password managers that auto-fill only on trusted domains closes off the most common entry points. It’s not about eliminating risk, it’s about putting enough guardrails in place that a single compromised credential doesn’t cascade into a larger incident.”

Danny Allan, chief technology officer at Snyk, added that it makes sense we now see phishing attacks focused on the people who control the code and software. Allan said capturing the developer's identity and authorization credentials means that all public and private software is potentially at risk of compromise.

“Internal monitoring systems are very much tuned toward the external threat, and not the compromised insider threat,” said Allan. “The best way to mitigate these types of attacks is to ensure consistent and comprehensive implementations of MFA. Given the access and downstream impact of the developer in an AI era, the industry needs to quickly understand and ensure additional guardrails and a greater focus on the developer as a source of potential risk."

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Access MatrixBannerBasic AuthenticationBiometricsBrowserChallenge-Handshake Authentication Protocol (CHAP)ClientCommon Gateway Interface (CGI)DLL InjectionDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds