The Python Package Index, PyPI, on Wednesday sounded the alarm about an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to legitimate packages.
The social engineering attack entails sending security-themed messages that create a false sense of urgency by informing recipients that Google is implementing a mandatory validation process on all packages and that they need to click on a link to complete the validation before September, or risk getting their PyPI modules removed.
Should an unsuspecting developer fall for the scheme, users are directed to a lookalike landing page that mimics PyPI’s login page and is hosted on Google Sites, from where the entered credentials are captured and abused to unauthorizedly access the accounts and compromise the packages to include malware.
The phishing attack is yet another sign of how the open source ecosystem is increasingly at risk from threat actors, who are capitalizing on libraries and projects that are woven into the fabric of several applications to mount supply chain attacks that can have cascading effects.
