I’ve just received an e-mail that looks strongly like a fishing attempt. The sender is PyPi <noreply@pypi-packages.org>. The e-mail instructs the receiver to go and “validate” their PyPI package on a Google-hosted website that asks the PyPI username and password: https://sites.google.com/view/pypivalidate/validate-pypi-package
The e-mail text claims that:
Google has implemented a mandatory validation process on all PyPi packages (this includes existing packages) due to a surge in malicious PyPi packages being uploaded to the PyPi.org domain
It seems like someone with contacts at Google might want to contact them to at least take down that website.
Almost certainly a phishing attempt - the links in the email point to https://afge.us11.list-manage.com/track/ which could just be a campaign tracking site (domain appears to be somehow related to MailChimp, but WHOIS indicates the TLD registrant is one Sharon Rosenbaum of “The Rocket Science Group LLC” in Atlanta, Georgia).
Some users were compromised and malware published to legitimate projects. We’ve removed those releases, but please direct any reports in the future to security@pypi.org.
Thanks for the quick response. Maybe also try to get the pypi-packages.org domain taken down? Per its whois, looks like it was registered with namecheap, so they should be emailed. Or if it was spoofed, maybe some SPF/DKIM needs to be updated?
Given a hardware security key would thwart this attack but TOTP may be vulnerable, how come maintainers of critical projects who have previously gone to the effort to enable 2FA (like myself) aren’t eligible for the free hardware security key, only those who have haven’t yet bothered to not do so? I know that wasn’t the intent, but it feels like it penalizes maintainers who take the effort to proactively implement good security practices while rewarding those who haven’t. For context, I’m a broke student who’s already spent way too much of my limited money buying successive generations of Yubikeys and FIDO/2/U2F keys (only to have them repeatedly obsoleted) to otherwise justify purchasing yet another key just for PyPI.
I understand the financial concern, but to me there’s another problem: what happens if I lose the security key? Usually those look like random tiny bits of plastic.
That’s why you get two keys. You can keep the second one as a backup in a safe place at home. I have my Yubikey attached to my physical key ring for years. They are sturdy and water proof.
Most smartphones and tablets come with an USB-C port these days. Security keys come in USB-A, USB-C, or even both. Some even act as a smartcard and can communicate over NFC. I guess Apple users need to get an adapter or a device with a lightning port, e.g. YubiKey 5Ci.
lol I assumed that was only for charging. Does that mean I could (for example) attach an external hard disk on that port?
I guess the other aspects of this question are what capabilities do the free keys PyPI are offering provide, and can they be used as well as a 2FA app, or if I switch to the key will I lose the ability to use the app as a backup for when I don’t have my key with me[1]?
To be honest, for PyPI access I’m willing to accept a certain loss of convenience for increased security. My questions are more relevant in a broader context, though (I’d hate to need a hardware key to comment on github issues, for instance, even though needing one to make commits might be advisable).
Although I suspect I know the answer to that, as if I can use either, security is only as good as the weakest. ↩︎
Cool. Reiterating my previous question, can I use the key in addition to my existing TOTP app (i.e., key when I have it available, TOTP when I don’t), or is it an either-or thing? And does it do both USB-C and “old” USB, or just one?
I guess the other aspects of this question are what capabilities do the free keys PyPI are offering provide, and can they be used as well as a 2FA app, or if I switch to the key will I lose the ability to use the app as a backup for when I don’t have my key with me?
You can have both enabled and use either upon login. We recommend using WebAuthN (hardware keys) and reserving TOTP for backup access if you lose your hardware key.
And does it do both USB-C and “old” USB, or just one?