IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

PyPI packages succumb to Mailchimp phishing scam

The news comes after "fairly convincing" phishing emails from a Mailchimp account swindled developers into revealing credentials

A close up photo of a python in front of a green background

Administrators at the Python Package Index (PyPi) registry have confirmed an active phishing campaign aimed at stealing credentials from package developers.

Django project board member Adam Johnson first broke the news on Twitter after receiving a suspicious email that urged him to comply with a mandatory process to validate any and all PyPI packages before September. The email reportedly came from a Mailchimp account.

Related Resource

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Whitepaper cover with title and text, and image of pyramid cyber-resilience modelFree Download

“Please validate your package with Google to avoid having your PyPi package removed from PyPi.org,” read the email.

Adding to the trickery, the mail said Google has mandated the validation process “due to a surge in malicious PyPi packages being uploaded to the PyPi.org domain".

The phishing site itself looks fairly convincing, according to Johnson. Consequently, a few unsuspecting developers entered their credentials on the malicious webpage that mirrored PyPI’s login page, which led to their creations getting hijacked.

“Exotel” (version 0.1.6) and “spam” (versions 2.0.2 and 4.0.2) are among the packages PyPI identified as compromised and rife with malware.

The aforementioned releases have been eliminated from PyPI and associated maintainer accounts are temporarily inaccessible. “We’ve additionally taken down several hundred typosquats that fit the same pattern,” added PyPI’s Security team.

PyPI also recommended users enable two-factor authentication, ideally through hardware security keys or WebAuthn two-factor authentication, as a precaution.  In the event that a developer already entered credentials on the phishing site, PyPI recommends resetting the password, 2FA recovery codes, and reviewing the account for any suspicious activity.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Cloud and cyber security certifications remain highest paying for IT professionals
Careers & training

Cloud and cyber security certifications remain highest paying for IT professionals

29 Sep 2022