PyPI.org Phishing attack

I just received this email (link deliberately broken):

As part of our ongoing account maintenance and security procedures, we’re asking users to verify their email addresses.

Please follow [this link](http s://pypj.org/account/login?user=ethan&token=xxx) to verify your email address.

This link will expire in 72 hours.

If you fail to confirm your email we may remove that email from your account to ensure your security.

Is pypj (that’s a J, not an I) one of ours?

10 Likes

Definitely a fake website. If you check in the footer, some links like donate.pypj.org are broken because they aren’t quite spoofing everything and are instead trying to do a more simple pypipypj text replacement which doesn’t always work.

Probably worth reporting to google who are currently providing the certificate for this domain.

7 Likes

That can be done here: https://safebrowsing.google.com/safebrowsing/report_phish/ (according to the FAQ)

6 Likes

Thanks, both! Site reported.

5 Likes

The site is also using Cloudflare name servers, and is registered with NameSilo LLC, so the abuse reporting for both firms can be used: https://abuse.cloudflare.com / abuse@namesilo.com. I’ve also sent an email to the PSF trademarks committee for obvious trademark infringement.

See https://rdap.namesilo.com/domain/pypj.org & ICANN Lookup.

A

8 Likes

I have reports on the behalf of the PSF in at this time, and I’m aware that the trademark working group is also working from their angle. Thanks everyone.

5 Likes

Thanks for reporting this, @stoneleaf

I updated the title since this is a real attack. Perhaps we should send out a warning to users on one of the announcement and security channels.

3 Likes

This discussion is the top Google result when searching for “pypj.org”… I also received the same email verification request and was suspicious of the domain. I have a real pypi.org account associated with the same email the (fake) verification request was sent to.

I’m a nobody, so if I got this email there’s likely a lot more who also received the same phishing email. One of my projects was marked once as critical, so that could be the criteria they’re using for who to target.

Happy to provide email headers and any other info if requested.

3 Likes

I got one too and just wanted to document that the email isn’t assigned to an actual PyPI account but is included in the core packaging meta and so it’s exposed publicly.

It’s a team@ address with forwarding to actual humans. And the scam “verification” URL just extracted the part before @ to inject into the GET param.

1 Like

Hi gang,

Thanks for your diligence!

Some notices have gone up on social media, mailing lists, and PyPI blog:

Other efforts are underway to evaluate the impact and look at other prevention techniques.

4 Likes

We have implemented a client side protection that should block the trivial proxy attacks like these, and are working with our CDN provider, Fastly, to determine if any of their security products would further protect us from these attacks.

9 Likes

Cloudflare has also now flagged to the domain.

5 Likes

The domain registrar has also placed this domain on a hold.

6 Likes

The incident is over, and here’s a deeper dive.

9 Likes