top of page

Phishing Packages Flooding Open-Source Repos


As-yet unidentified threat actors recently uploaded an incredible 144,294 phishing-related packages into popular open-source package repositories—including NuGet, NPM, and PyPi, to name a few. This massive attack appears to have been automated, as malicious packages were uploaded from many accounts using similar descriptions and a particular naming scheme. Tracing the packages’ phishing web page hosting all led back to the same