PyPI Phishing Attack: Incident Report
9 months ago
- #Phishing
- #PyPI
- #Cybersecurity
- Phishing attack targeted PyPI users via email, with a phishing domain mimicking PyPI.org.
- 4 user accounts were compromised, 2 API tokens generated by attackers, and 2 malicious releases uploaded to the 'num2words' project.
- Attackers used a forward proxy setup to mimic PyPI.org, exploiting minor URL differences (e.g., 'pypj.org' vs. 'pypi.org').
- Two-factor authentication (2FA) could mitigate such attacks, but attackers could bypass it by intercepting session cookies or TOTP codes.
- The phishing domain was eventually taken down after reports to the registrar and CDN provider, though initial responses were slow.
- Impact included malware distribution via compromised PyPI packages, with quick removal by the project owner.
- Recommendations include enabling 2FA, using WebAuthn for stronger security, and removing dormant PyPI accounts.
- The PSF is exploring acquiring similar domain names to prevent future phishing attacks.
- Indicators of compromise (IoCs) include phishing domains, IP addresses, and malicious package versions.