Two people investigate a website, one holds a magnifying glass to reveal the word "Fake"

PyPI users were compromised by JuiceLedger hackers with Phishing Attack

The latest phishing attacks on Python Package Index (PyPI) users were conducted by JuiceLedger Hackers. More information about the people responsible for the first-known phishing scam that was especially targeted at the Python Package Index, the known third-party software repository for the programming language, has come to light.

The Python Package Index (PyPI) is the language’s approved third-party software repository. Cybersecurity firm SentinelOne and Checkmarx identified the group as a relatively recent breakout that first occurred in early 2022, connecting it to a threat actor identified as JuiceLedger.

Last month, the JuiceLedger actors targeted PyPi package developers in a phishing attack, which led to the infection of three packages with malware. Phishing emails sent to PyPI developers, typosquatting, and malicious packages meant to infect users.

Python Phishing Website
Phishing website PyPi (PyPi)

JuiceStealer, a.NET-based malware programme designed to steal passwords and other personal information from victims’ web browsers, is said to have been distributed in the first “low-key” attacks by malicious Python installation programmes.

Amitai Ben Shushan Ehrlich, a SentinelOne researcher, wrote in a report:

The attack against PyPI package contributors through the supply chain appears to be an escalation of a marketing effort that was launched earlier this year. The previous campaign targeted vulnerable victims through the use of fake bitcoin buying and selling scams.

The cybersecurity company said that the infostealer is likely intended to target a larger audience using a combination of trojanized and typosquat packages.

The trend has led Google to take action and propose financial rewards for spotting vulnerabilities in its projects that are freely accessible. The move comes amid increasing worries about the security of the open-source ecosystem.

PyPi’s Reaction to the Attack

PyPi are actively investigating reports of dangerous packages and have removed hundreds of typosquats. When 2FA authorisation is enabled, package maintainers should use it and should make sure that the URL in the address bar is https://pypi.org before entering their login information. Additionally, visitors can verify that pypi.org is the provider of the TLS certificate for the website.

Resetting passwords right away and reporting any unusual behaviour to security@pypi.org are encouraged for maintainers who think they may have been the target of a JuiceLedger attack.

Security teams are recommended to study the available warnings and implement the necessary mitigation steps since attacks like this are concerning given the widespread usage of PyPI and other open-source packages in corporate environments.

Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts