Fishing attempt ("[PyPi] Package Validation")

Hello,

I’ve just received an e-mail that looks strongly like a fishing attempt. The sender is PyPi <noreply@pypi-packages.org>. The e-mail instructs the receiver to go and “validate” their PyPI package on a Google-hosted website that asks the PyPI username and password: https://sites.google.com/view/pypivalidate/validate-pypi-package

The e-mail text claims that:

Google has implemented a mandatory validation process on all PyPi packages (this includes existing packages) due to a surge in malicious PyPi packages being uploaded to the PyPi.org domain

It seems like someone with contacts at Google might want to contact them to at least take down that website.

Just a note that Gmail tried to send the email notification for this topic to my spam folder (it only reached my inbox because of a custom filter).

Almost certainly a phishing attempt - the links in the email point to https://afge.us11.list-manage.com/track/ which could just be a campaign tracking site (domain appears to be somehow related to MailChimp, but WHOIS indicates the TLD registrant is one Sharon Rosenbaum of “The Rocket Science Group LLC” in Atlanta, Georgia).

Also reported on Twitter: https://twitter.com/AdamChainz/status/1562372544535175168

Rocket Science Group are the company behind MailChimp. If their platform is being used to send phishing emails it should be reported to them as well.

This is indeed part of a larger phishing attack: https://twitter.com/pypi/status/1562442188285308929

Some users were compromised and malware published to legitimate projects. We’ve removed those releases, but please direct any reports in the future to security@pypi.org.

Thanks for the quick response. Maybe also try to get the pypi-packages.org domain taken down? Per its whois, looks like it was registered with namecheap, so they should be emailed. Or if it was spoofed, maybe some SPF/DKIM needs to be updated?

Given a hardware security key would thwart this attack but TOTP may be vulnerable, how come maintainers of critical projects who have previously gone to the effort to enable 2FA (like myself) aren’t eligible for the free hardware security key, only those who have haven’t yet bothered to not do so? I know that wasn’t the intent, but it feels like it penalizes maintainers who take the effort to proactively implement good security practices while rewarding those who haven’t. For context, I’m a broke student who’s already spent way too much of my limited money buying successive generations of Yubikeys and FIDO/2/U2F keys (only to have them repeatedly obsoleted) to otherwise justify purchasing yet another key just for PyPI.

We’re planning on removing this restriction, stay tuned.

I emailed Namecheap about this, and they say they have suspended pypi-packages.org.

I understand the financial concern, but to me there’s another problem: what happens if I lose the security key? Usually those look like random tiny bits of plastic.

Plus, how do I log onto my account on a device (phone, tablet) that doesn’t have a USB port?

That’s why you get two keys. You can keep the second one as a backup in a safe place at home. I have my Yubikey attached to my physical key ring for years. They are sturdy and water proof.

Most smartphones and tablets come with an USB-C port these days. Security keys come in USB-A, USB-C, or even both. Some even act as a smartcard and can communicate over NFC. I guess Apple users need to get an adapter or a device with a lightning port, e.g. YubiKey 5Ci.

Hmm, how does that happen? When I bought a Yubikey I only received a single one.

lol I assumed that was only for charging. Does that mean I could (for example) attach an external hard disk on that port?

I guess the other aspects of this question are what capabilities do the free keys PyPI are offering provide, and can they be used as well as a 2FA app, or if I switch to the key will I lose the ability to use the app as a backup for when I don’t have my key with me^[1]?

To be honest, for PyPI access I’m willing to accept a certain loss of convenience for increased security. My questions are more relevant in a broader context, though (I’d hate to need a hardware key to comment on github issues, for instance, even though needing one to make commits might be advisable).

1. Although I suspect I know the answer to that, as if I can use either, security is only as good as the weakest. ↩︎

I was referring to PyPI 2FA Security Key Giveaway · PyPI. The giveaway includes two keys.

We just announced this: https://twitter.com/pypi/status/1562825018618261504

Cool. Reiterating my previous question, can I use the key in addition to my existing TOTP app (i.e., key when I have it available, TOTP when I don’t), or is it an either-or thing? And does it do both USB-C and “old” USB, or just one?

Sorry, I missed your questions.

I guess the other aspects of this question are what capabilities do the free keys PyPI are offering provide, and can they be used as well as a 2FA app, or if I switch to the key will I lose the ability to use the app as a backup for when I don’t have my key with me?

You can have both enabled and use either upon login. We recommend using WebAuthN (hardware keys) and reserving TOTP for backup access if you lose your hardware key.

And does it do both USB-C and “old” USB, or just one?

Not sure if I understand this question? The giveaway offers both USB-C and USB-A keys, and both also support NFC: https://store.google.com/product/titan_security_key

@dustin I tried applying the promo code I received from PyPI but got “Promo code doesn’t apply. Check the cart and promo details.”

EDIT: n/m you have to select qty: 2 yourself, before it will apply