Cyber Incident Victim: The Perl Foundation

On January 29, 2021, attackers hijacked the domain perl.com, the official website for the Perl programming language operated by The Perl Foundation. The domain, registered with key-systems.net since 1994, was redirected from its original IP address 151.101.2.132 to 35.186.238[.]101, an address linked to historical malware distribution campaigns including Locky ransomware. The Perl NOC confirmed the hijacking, noting the domain began resolving to a parking page containing GoDaddy scripts shortly after the unauthorized DNS changes. Security researchers observed the hijacked domain displayed a blank page at the new IP, though its HTML contained elements associated with domain parking services. Within hours of the takeover, perl.com appeared listed for sale on afternic.com with an asking price of $190,000. The Perl Foundation issued an advisory urging users to avoid accessing perl.com due to its connection with malicious infrastructure.

The incident disrupted critical services for Perl developers, necessitating immediate changes to configuration settings for the Comprehensive Perl Archive Network (CPAN). Users were instructed to manually update their CPAN mirror URLs from perl.com to http://www.cpan.org/ using specific command-line procedures to maintain module installation capabilities. The hijacking posed secondary risks through historical associations between the destination IP and ransomware operations, though no new malware distribution via perl.com was confirmed during this event. Recovery efforts focused on regaining control of the domain registration through the registrar. No details regarding the hijackers' identity or initial compromise vector were disclosed publicly. The Perl NOC maintained ongoing communication about the situation but did not provide a specific timeline for resolution in initial announcements.