Security News > 2022 > August > PyPI warns of first-ever phishing campaign against its users

The community-run organization said this is the first known phishing attack against PyPI users.

"The phishing message claims that there is a mandatory 'validation' process being implemented, and invites users to follow a link to validate a package, or otherwise risk the package being removed from PyPI," the organization said via Twitter, adding that it never removes valid projects from the registry, only those violating terms of service.

The phishing pitch is convincingly crafted because many of the popular package registries like npm, RubyGems, and PyPI in fact have been adding security requirements like the use of multi-factor authentication over the past few months and publishing details about the changes.

The attack against PyPI follows a recently disclosed phishing campaign dubbed Oktapus that targeted employees of authentication firm Okta several months ago.

According to PyPI, the phishing link deployed in the campaign leads to a website that mimics the organization's login page and steals any credentials the victim enters.

As a result of the phishing campaign, PyPI announced it is giving away free hardware security keys to the maintainers of critical projects - the top 1 percent of projects by downloads over the past six months.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/26/pypi_warns_of_firstever_phishing/