Warning for Developers: New Phishing Attack Targets PyPI and Mozilla Accounts
A sophisticated and dangerous phishing campaign is actively targeting developers with contributor access to the Python Package Index (PyPI) and Mozilla’s Firefox Add-ons (AMO) repository. The goal of this attack is to steal developer credentials to launch widespread software supply chain attacks.
This is not a routine phishing attempt; it is a calculated effort to compromise the core infrastructure of open-source software distribution. If successful, attackers could inject malicious code into widely-used packages and browser extensions, potentially affecting millions of users worldwide.
How the Phishing Attack Works
The attack is deceptive and designed to bypass common security measures, including some forms of two-factor authentication (2FA). Here’s a breakdown of the process:
The Bait: Developers receive an email that appears to be an official security alert from PyPI or Mozilla. These emails create a sense of urgency, often claiming there is a critical vulnerability in a package they maintain or that they must validate their account to avoid removal.
The Malicious Link: The email prompts the developer to click a link to review the issue or “validate” their credentials. This link leads to a highly convincing but fake login page that mirrors the authentic PyPI or AMO sign-in portal. These fraudulent domains are chosen to look legitimate, such as
pypiregistry[.]orgorfirefox-addons[.]org.Credential and 2FA Theft: Once a developer enters their username and password on the fake page, the attackers capture them. The page then prompts for a Two-Factor Authentication (2FA) code. When the developer enters their code from an authenticator app, the attackers immediately use it, along with the stolen password, to log into the real developer account. This allows them to bypass time-based 2FA protection.
By capturing both the static password and the temporary 2FA code, attackers gain full access to the developer’s account, enabling them to modify and publish compromised software.
The Real Threat: A Gateway to Supply Chain Attacks
Gaining access to a single developer account on a major repository is a critical security breach. A compromised account is a launchpad for a software supply chain attack.
Once in control, an attacker can:
- Inject Malware: Silently add spyware, ransomware, or credential-stealing malware into a new version of a legitimate package or add-on.
- Create Backdoors: Insert hidden backdoors into code that could be exploited later.
- Target Specific Users: Modify a package to attack a specific organization or industry that relies on it.
Because these updates are pushed from a seemingly trusted developer account, automated systems and users are likely to download and install the malicious versions without suspicion.
How to Protect Your Developer Accounts
Protecting your accounts requires vigilance and adopting stronger security practices. Standard security advice is more critical than ever.
1. Scrutinize All Login and Verification Requests
Be extremely suspicious of any unsolicited email asking you to log in or validate your account, especially those that convey a strong sense of urgency. Always navigate directly to the official website by typing the URL (e.g., pypi.org, addons.mozilla.org) into your browser instead of clicking links in an email.
2. Meticulously Verify Website URLs
Before entering credentials, double-check the URL in your browser’s address bar. Look for subtle misspellings or different domains (e.g., .org vs. .com or the use of hyphens). Ensure the connection is secure by looking for the padlock icon and https.
3. Upgrade to Phishing-Resistant 2FA
While 2FA from an authenticator app is good, it can be bypassed by a real-time phishing attack as described above. The strongest defense is a physical hardware security key that uses FIDO2 or U2F standards (like a YubiKey). These keys require physical interaction and bind your login to the authentic website, making it nearly impossible for a phishing site to capture the necessary information. Major platforms, including PyPI, are strongly encouraging or even requiring their use for critical packages.
4. Comply with Platform Security Updates
Repositories like PyPI are actively working to secure their ecosystems by mandating 2FA for contributors. If a platform requires you to enable 2FA, do it immediately. These measures are put in place to protect both you and the entire user community from attacks like this one.
The security of the entire open-source ecosystem depends on the diligence of its contributors. Stay alert, verify every request, and upgrade your security to protect your code and its users.
Source: https://www.kaspersky.com/blog/mozilla-pypi-phishing-attacks/54048/
