2026-07-16 –, Auditorium Hall (S1)
In July 2025, PyPI users received emails directing them to pypj.org—a near-perfect clone transparently proxying requests to pypi.org. Within hours, attackers compromised four accounts and uploaded malicious releases of the popular num2words package.
This talk dissects the complete attack chain: how attackers harvested email addresses from public package metadata, built a transparent proxy that relayed TOTP codes in real-time, and why traditional 2FA failed while WebAuthn-based authentication stopped the attack cold.
The session covers the incident response timeline, challenges getting malicious infrastructure taken down (including initial rejection of abuse reports), and defensive measures deployed afterward—including new email verification for TOTP logins from unrecognized devices.
Attendees will learn exactly how modern phishing attacks work against package repositories, the critical difference between "phishable" and "phishing-resistant" 2FA, and practical steps to protect accounts and packages from the next campaign. The talk also examines the September 2025 follow-up campaign targeting pypi-mirror.org and patterns across these ongoing attacks.
Mike is a professional engineer with over three decades of experience, having held senior leadership roles at companies including Datadog, MongoDB, LeafLink, Warby Parker, and Paribus (Capital One). He is dedicated to continuous learning and mentoring.
He is a recognized contributor to the tech community, having been a conference speaker since 2012. His accolades include the Awesome Community Chef Award (2016) and being an AWS Container Hero since 2018.
Currently working as the PyPI Safety & Security Engineer at the Python Software Foundation, he devotes his free time to working on open source tools, learning new technologies, and volunteering as a roller derby referee. With a holistic view of systems and software and a passion for problem-solving, Mike helps others navigate the complexities of the tech world.
He can be found on Mastodon, GitHub, and elsewhere online, or wearing stripes at a roller derby game near you.