Revival Hijack Threat: Attackers Exploit Deleted PyPI Packages to Spread Malicious Code

September 5, 2024
Revival Hijack Threat: Attackers Exploit Deleted PyPI Packages to Spread Malicious Code
  • Revival Hijack is particularly concerning as it does not rely on user mistakes, unlike traditional typosquatting attacks, making it harder for users to detect.

  • The danger is amplified by the fact that many systems automatically update packages without verifying their integrity, potentially leading to the installation of malicious versions.

  • An actual case of this attack involved the 'pingdomv3' package, which was hijacked shortly after its deletion and updated with malicious code targeting Jenkins environments.

  • JFrog researchers estimate that over 22,000 packages are at risk of being hijacked, highlighting the scale of the issue.

  • Threat actors are increasingly using a technique known as 'Revival Hijack' to register new PyPI projects with the names of previously deleted packages.

  • This method poses a significant risk because once a package is removed from PyPI, its name can be reused, allowing attackers to disguise harmful packages as legitimate.

  • Researchers have identified vulnerabilities within the PyPI package repository that enable attackers to distribute malicious payloads effectively.

  • Research indicates that approximately 300 packages are removed from PyPI each month, creating a continuous stream of potential targets for hijacking.

  • To combat this threat, organizations are advised to monitor their CI/CD systems and implement measures to prevent the automatic installation of previously removed packages.

  • Researchers demonstrated the vulnerability by creating and deleting a package, then uploading a malicious version that was recognized as an update by pip.

  • Brian Moussalli from JFrog emphasized the importance of vigilance and proactive measures by users to protect the PyPI community from these hijack attempts.

  • In response to the threat, JFrog has registered new projects with names of popular deleted packages to prevent malicious actors from exploiting them.

Summary based on 7 sources


Get a daily email with more Tech stories

More Stories