A highly advanced phishing campaign targeted maintainers of packages on the Python Package Index (PyPI), utilizing domain confusion methods to obtain login credentials from unsuspecting developers. The campaign leverages fake emails made to copy authentic PyPI communications and send recipients to fake domains that mimic the genuine PyPI infrastructure.
Campaign tactic
The phishing operation uses meticulously drafted emails that ask users to confirm their email address for “account maintenance and security reasons,” cautioning that accounts will be suspended if not done.
These fake emails scare users, pushing them to make hasty decisions without confirming the authenticity of the communication. The phony emails redirect the victims to the malicious domain pypi-mirror.org, which mimics the genuine PyPI mirror but is not linked to the Python Software Foundation.
Broader scheme
This phishing campaign highlights a series of attacks that have hit PyPi and similar other open-source repositories recently. Hackers have started changing domain names to avoid getting caught.
Experts at PyPI said that these campaigns are part of a larger domain-confusion attack to abuse the trust relationship inside the open-source ecosystem.
The campaign uses technical deception and social engineering. When users open the malicious links, the
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: