"Phishing PyPI Users: Attackers Compromise Legitimate Projects to Push Malware"
PyPI, the official third-party software repository for Python packages, is warning its users about a phishing campaign. It was discovered that some maintainers of legitimate projects had been compromised, and malware had been published as the latest release for those projects. According to the PyPI team, these releases have been removed from PyPI, and the maintainer accounts have been temporarily frozen. The malicious releases that they are currently aware of are exotel (v0.1.6), spam (v2.0.2 and v4.0.2), and deep-translator (v1.8.5). They also stated that they removed hundreds of typosquats that follow the same pattern. The phishing email warned users that they needed to perform "package validation" to keep their PyPI packages from being removed from the online repository. Victims who clicked on the provided link were taken to a phishing site that looked exactly like PyPI's login page. According to Checkmarx security researcher Aviad Gershon, the domain "linkedopports[.]com" appears in the malicious package code and also serves as the location to which the phishing site attempts to send the stolen credentials. He added that they discovered another unreported domain related to this attacker's infrastructure, hosting a website imitating the website of the LedgerLive crypto wallet app. The malicious packages are attempting to download and execute a file from another URL that is unusually large and signed with a valid signature. This article continues to discuss the phishing campaign targeting PyPI users.