|
| 1 | +--- |
| 2 | +title: Phishing attacks with new domains likely to continue |
| 3 | +description: A new phishing campaign targeting PyPI users using similar tactics to previous campaigns. |
| 4 | +authors: |
| 5 | + - sethmlarson |
| 6 | +date: 2025-09-23 |
| 7 | +tags: |
| 8 | + - security |
| 9 | + - transparency |
| 10 | +links: |
| 11 | + - posts/2025-07-28-pypi-phishing-attack.md |
| 12 | + - posts/2025-07-31-incident-report-phishing-attack.md |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +Unfortunately the string of phishing attacks using domain-confusion |
| 17 | +and legitimate-looking emails continues. This is the [same attack PyPI saw a few months ago](2025-07-28-pypi-phishing-attack.md) |
| 18 | +and targeting many other open source repositories |
| 19 | +but with a different domain name. Judging from this, we believe this type of campaign will continue |
| 20 | +with new domains in the future. |
| 21 | + |
| 22 | +<!-- more --> |
| 23 | + |
| 24 | +In short, there's a new phishing campaign |
| 25 | +targeting PyPI users occurring right now. The email asks you to "verify their email address" |
| 26 | +for "account maintenance and security procedures" with a note that your account may be suspended. |
| 27 | +This email is fake, and the link goes to `pypi-mirror.org` which is a domain not owned by PyPI or the PSF. |
| 28 | + |
| 29 | +If you have already clicked on the link and provided your credentials, we recommend changing your |
| 30 | +password on PyPI immediately. Inspect your account's Security History for anything unexpected. |
| 31 | +Report suspicious activity, such as potential phishing campaigns against PyPI, to [`[email protected]`](mailto:[email protected]). |
| 32 | + |
| 33 | +## What is PyPI doing to protect users? |
| 34 | + |
| 35 | +There's no quick-and-easy method for PyPI maintainers to completely |
| 36 | +halt this sort of attack short of requiring phishing-resistant 2FA (such as hardware tokens). |
| 37 | +Below are the following steps we're taking to keep users safe: |
| 38 | + |
| 39 | +* Contacting the registrars and CDN of the malicious domains to have them taken down. |
| 40 | +* Submitting phishing domains to lists of known-malicious URLs. This makes browsers show a warning |
| 41 | + before visiting the website, hopefully triggering alarm bells for users. |
| 42 | +* Collaborating with other open source package managers to share strategies for quicker domain take-downs. |
| 43 | +* Exploring methods to make authenticating using TOTP-based 2FA more resistant to phishing. |
| 44 | + |
| 45 | +## What can you do as a maintainer? |
| 46 | + |
| 47 | +If you are a maintainer of a package on PyPI, you can help protect your users by adopting the following practices: |
| 48 | + |
| 49 | +* Don't trust or click on links in emails that you didn't trigger yourself. |
| 50 | +* Use a password manager that auto-fills based on domain name and exclusively using this feature. |
| 51 | + If auto-fill isn't working when it usually does, that is a warning sign! |
| 52 | +* Adopt a phishing-resistant 2FA method such as hardware keys. |
| 53 | +* When in doubt, ask for help before taking action. There is no shame in being cautious, share fishy-looking emails with others. |
| 54 | +* Share this warning within your own communities. PyPI is not the first or last open source service that will be targeted with phishing attacks. |
0 commit comments