The attack, which began on June 9, 2025, involved the creation of more than 250 user accounts that systematically flooded the repository with empty packages designed to exploit package confusion vulnerabilities. The campaign demonstrated a methodical approach to large-scale repository abuse, with attackers first establishing legitimate-appearing accounts complete with two-factor authentication and API tokens before launching their upload offensive. The projects targeted command-line interface entrypoints, exploiting the fact that these execution interfaces need not match the actual PyPI project name, creating opportunities for package confusion attacks. The Python Package Index (PyPI) has implemented an immediate ban on inbox.ru email domain registrations following a sophisticated spam campaign that resulted in over 1,500 fake project uploads across a month-long period. PyPI administrators responded swiftly upon discovery, removing all 1,525 malicious projects, disabling associated accounts, and implementing domain-level restrictions on inbox.ru registrations. The upload phase commenced on June 26 with nine initial projects, building to a crescendo on June 30 when 740 fake packages were uploaded in a single day. The repository maintainers emphasized that while this action was necessary for security, they remain open to reversing the decision if the email provider demonstrates improved abuse prevention measures. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. PyPI analysts identified the malicious activity on July 8, 2025, after a user reported that an AI language model (Sonnet 4) had recommended installing a non-existent package. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Initial reconnaissance started on June 9 with the creation of a single, fully-verified account including two-factor authentication setup. The campaign then escalated rapidly, with 46 accounts created within three hours on June 11, followed by 207 accounts established in just four hours on June 24. The attackers employed a sophisticated multi-phase approach that began with careful account establishment and culminated in massive upload volumes. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Jul 2025 10:35:10 +0000