blog.pypi.org - - The Python Package Index Blog - PyPI Users are receiving emails detailing them to log in to a fake PyPI site.
PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site.
Over the past few days, users who have published projects on PyPI with their email in package metadata may have received an email titled:
[PyPI] Email verification
from the email address noreply@pypj.org.
Note the lowercase j in the domain name, which is not the official PyPI domain, pypi.org.
This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI.
The email instructs users to follow a link to verify their email address, which leads to a phishing site that looks like PyPI but is not the official site.
The user is prompted to log in, and the requests are passed back to PyPI, which may lead to the user believing they have logged in to PyPI, but in reality, they have provided their credentials to the phishing site.
PyPI Admins are looking into a few methods of handling this attack, and want to make sure users are aware of the phishing attempt while we investigate different options.
There is currently a banner on the PyPI homepage to warn users about this phishing attempt.
Always inspect the URL in the browser before logging in.
We are also waiting for CDN providers and name registrars to respond to the trademark and abuse notifications we have sent them regarding the phishing site.
If you have received this email, do not click on any links or provide any information. Instead, delete the email immediately.
If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately. Inspect your account's Security History for anything unexpected.
Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages:
Coffin-Codes-Pro
Coffin-Codes-NET2
Coffin-Codes-NET
Coffin-Codes-2022
Coffin2022
Coffin-Grave
cfc-bsb
use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
These packages have since been removed from the Python Package Index (PyPI).
A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean
RL found the VMConnect campaign continuing with malicious actors posing as recruiters, using packages and the names of financial firms to lure developers.
In today’s post, We’ll explore the process of designing and developing malware for macOS, which is a Unix-based operating system. We’ll use a classic approach to understanding Apple’s internals. To follow along, you should have a basic understanding of exploitation, as well as knowledge of C and Python programming, and some familiarity with low-level assembly language. While the topics may be advanced, I’ll do my best to present them smoothly.
Cloud attack tool has been repurposed by multiple threat actors to push SMS spam and smishing campaigns through major SaaS providers.
An information-stealing script embedded in a Python package on the popular repository PyPI appears to be connected to a cybercriminal operation based in Iraq, according to researchers at Checkmarx.
Sonatype's automated malware detection systems identified a malicious PyPI package called crytic-compilers, connected to Russia-linked Lumma Windows stealer, and named very closely after a well-known legitimate Python library that is used by cryptocurrency developers.
Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware—answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware.
Supply chain attack targeted GitHub community of Top.gg Discord server
A new Python project called 'Wall of Flippers' detects Bluetooth spam attacks launched by Flipper Zero and Android devices.
The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository, ESET research finds.
Python’s e-mail libraries smtplib, imaplib, and poplib do not verify server certificates unless a proper SSL context is passed to the API. This leads to security problems.
In the realm of software development, open-source tools and packages play a pivotal role in simplifying tasks and accelerating development processes. Yet, as the community grows, so does the number of bad actors looking to exploit it. A recent example involves developers being targeted by seemingly legitimate Python obfuscation packages that harbor malicious code.
Since early April 2023, an attacker has been relentlessly deploying hundreds of malicious packages through various usernames, accumulating nearly 75,000 downloads. Our team at Checkmarx’s Supply Chain Security has been on this malicious actor’s trail since early April, documenting each step of its evolution. We have been actively observing an attacker who seems to be evermore refining their craft.
Netskope Threat Labs is tracking a campaign that uses malicious Python scripts to steal Facebook users’ credentials and browser data. This campaign targets Facebook business accounts with bogus Facebook messages with a malicious file attached. The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.
Explore JOKERSPY, a recently discovered campaign that targets financial institutions with Python backdoors. This article covers reconnaissance, attack patterns, and methods of identifying JOKERSPY in your network.
Follow security researchers as they uncover malicious packages on open-source registries, trace bad actors to Discord, and unveil AI-assisted code.
Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being "smart" means performing actions depending on the context, the environment, or user actions.
For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker’s point of view, it’s interesting to “see” what’s displayed on the victim’s computer.
