"Threat Actor Phishing PyPI Users Identified"
A previously unknown group dubbed "JuiceLedger" has been identified as the threat actor behind a recent phishing campaign specifically targeting users of the Python Package Index (PyPI). The threat actor first appeared earlier this year and is focused on distributing JuiceStealer, a.NET-based malware that searches for and steals browser and cryptocurrency-related information from infected systems. JuiceLedger initially distributed the information stealer through fake Python installer applications. However, beginning in August, SentinelOne and Checkmarx researchers observed the attacker attempting to poison Python packages on the PyPI repository, presumably to spread its malware to a wider audience. The threat actor's tactic has been to send a phishing email to PyPI users informing them that Google is implementing a new validation process for packages published on PyPI. According to the email, the measure was implemented in response to a significant increase in malicious PyPI packages being uploaded to the registry. It advised developers to validate their code packages with Google immediately to avoid having them removed from the registry. Users who clicked on the link were taken to a webpage appearing to be PyPI's login page. When users entered their credentials on the page, the information was sent to a JuiceLedger-controlled domain. This tactic appears to have tricked at least two developers into handing over their credentials, thus allowing JuiceLedger to access and poison their widely used PyPI packages with malicious code. This article continues to discuss the threat actor behind the phishing campaign targeting PyPI users.
Dark Reading reports "Threat Actor Phishing PyPI Users Identified"