JuiceLedger hackers are responsible for recent phishing attacks on PyPI users

More information about the operators behind the first-known phishing campaign has surfaced by JuiceLedger Hackers, specifically aimed at the Python Package Index (PyPI), the programming language’s official third-party software repository.

SentinelOne and Checkmarx described the group as a relatively new entity that surfaced in early 2022, linking it to a threat actor tracked as JuiceLedger.

Initial “low-key” campaigns are said to have used rogue Python installer applications to deliver JuiceStealer, a.NET-based malware designed to siphon passwords and other sensitive data from victims’ web browsers.

Last month, the attacks received a significant boost when JuiceLedger actors launched a phishing campaign against PyPi package contributors, compromising three packages with malware.

SentinelOne researcher Amitai Ben Shushan Ehrlich wrote in a report: “The supply chain attack on PyPI package contributors appears to be an escalation of a campaign that began earlier this year, targeting potential victims through fake cryptocurrency trading applications,”

According to the cybersecurity firm, the goal is to infect a larger audience with the infostealer using a combination of trojanized and typosquat packages.

The development adds to growing concerns about the open source ecosystem’s security, prompting Google to announce monetary rewards for discovering flaws in publicly available projects.

With account takeover attacks becoming a popular infection vector for attackers looking to poison software supply chains, PyPI has begun requiring two-factor authentication (2FA) for “critical” projects.

According to SentinelOne, “JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor.”