A phishing campaign is targeting users of the Python Package Index (PyPI) by threatening to remove their code packages if they don't put it through a bogus validation process, PyPI administrators have warned.

PyPI administrators are alerting users about the repository — which enables Python developers to publish and find code packages to use for building software — of emails that claim they are implementing a "mandatory 'validation' process," they said in a series of tweets outlining how the scam works.

The messages invite PyPI users to follow a link to perform the validation "or otherwise risk the package being removed from PyPI." The administrators assured users in a post that they would never remove a valid project from the index, and they only take down projects that are found to be malicious or violate the company's terms of service.

The campaign, which the administrators said is the first of its kind, steals users credentials to load compromised packages to the repository. The administrators noted that the phishing campaign does not target code repositories as a way to spread malware through the software supply chain.

The attackers behind the scam already have successfully stolen credentials from several PyPI users and uploaded malware into the projects they maintain to serve as the latest release for those projects, according to PyPI.

"These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen," according to PyPI's Twitter post.

How the Scam Works

According to PyPI, the initial phishing message dangles the lure that Google is behind the validation process of new and existing PyPI packages. Ironically, the message claims the new process is due to "a surge in malicious packages being uploaded to the PyPI.org domain."

The link takes the user to a phishing site that mimics PyPI's login page, which steals any credentials entered through a phishing site, "sites[dot]google[dot]com/view/pypivalidate." The data is sent to a URL on the domain "linkedopports[dot]com," according to PyPI.

PyPI administrators have been unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes but noted that accounts protected by hardware security keys are not vulnerable to the attack.

Repository administrators are in the process of actively reviewing reports of new malicious releases and ensuring that they are removed so the accounts that have been compromised are restored and their maintainers can continue to use PyPI.

Supply Chain in the Crosshairs

The campaign bucks the trend where threat actors are targeting public code repositories to distribute malware to the software supply chain. Flawed code can be a goldmine for threat actors, expansively widening the impact of malicious campaigns when compromised code is built into numerous applications or websites without developers or users knowing.

The Log4J case — in which a flaw in a widely used Java logging tool affected millions of applications, many of which are still vulnerable — brought this to light in a big way, and threat actors recently have ramped up attacks on code repositories as a way to spread malicious code quickly through the supply chain.

Earlier this month, PyPI removed 10 malicious code packages from the registry after a security vendor informed it about the issue. Threat actors targeted the registry by embedding malicious code into the package installation script.

PyPI has been aware of the target on its back and in the past few years has enacted several security initiatives to better protect its users.

These measures include the addition of two-factor authentication (2FA) as a login option and API tokens for uploading software to the registry, a dependency resolver to ensure the pip package installer installs the right versions of package dependencies, and the creation of databases of known Python vulnerabilities in PyPI projects.

Thwarting the Attack

PyPI is currently working to make 2FA more prevalent across projects on the repository, administrators said, adding that PyPI users with 2FA already implemented should reset recovery codes if they think that their account has been compromised.

To avoid being phished altogether, PyPI users should confirm that the URL in the address bar of any email purporting to come from PyPI is http://pypi.org and that the site's TLS certificate is issued to http://pypi.org. Users also should consider using a browser-integrated password manager, administrators tweeted.

Enabling 2FA by using hardware security keys or WebAuthn 2FA also can help PyPI users avoid being compromised by phishing attempts, they said. In fact, to help facilitate better protection, the repository currently offers free hardware keys for maintainers of the top 1% of projects.

PyPI advised any users who think they've been compromised to contact [email protected] with details about the sender email address and URL of the malicious site to help administrators to respond to this issue.