Recently, information about victims of a phishing attack targeting Python packages on PyPi (Python Package Index) was disclosed. The attack involved sending emails with a link to a fake site called Pypj.org (with a “j” instead of an “i”), resulting in the compromise of 4 accounts.
The attackers used this access to publish two malicious versions of the num2words module (versions 0.5.15 and 0.5.16) on PyPi. Num2Words, a module with over 3 million monthly downloads, offers functions to convert numbers into text representations. The harmful releases were removed by PyPi admins within an hour of being published.
The attackers exploited transparent proxification to mimic the legitimate PyPi site, allowing them to bypass two-factor authentication. They not only intercepted initial login credentials but also successfully responded to second-factor verification prompts.
To prevent similar attacks in the future, PyPi administrators implemented protection measures. This involves checking the domain using JavaScript on the client side. If the domain hash does not match, a warning is triggered, helping to prevent unauthorized access.