Revival Hijack Threat: Attackers Exploit Deleted PyPI Packages to Spread Malicious Code
September 5, 2024Revival Hijack is particularly concerning as it does not rely on user mistakes, unlike traditional typosquatting attacks, making it harder for users to detect.
The danger is amplified by the fact that many systems automatically update packages without verifying their integrity, potentially leading to the installation of malicious versions.
An actual case of this attack involved the 'pingdomv3' package, which was hijacked shortly after its deletion and updated with malicious code targeting Jenkins environments.
JFrog researchers estimate that over 22,000 packages are at risk of being hijacked, highlighting the scale of the issue.
Threat actors are increasingly using a technique known as 'Revival Hijack' to register new PyPI projects with the names of previously deleted packages.
This method poses a significant risk because once a package is removed from PyPI, its name can be reused, allowing attackers to disguise harmful packages as legitimate.
Researchers have identified vulnerabilities within the PyPI package repository that enable attackers to distribute malicious payloads effectively.
Research indicates that approximately 300 packages are removed from PyPI each month, creating a continuous stream of potential targets for hijacking.
To combat this threat, organizations are advised to monitor their CI/CD systems and implement measures to prevent the automatic installation of previously removed packages.
Researchers demonstrated the vulnerability by creating and deleting a package, then uploading a malicious version that was recognized as an update by pip.
Brian Moussalli from JFrog emphasized the importance of vigilance and proactive measures by users to protect the PyPI community from these hijack attempts.
In response to the threat, JFrog has registered new projects with names of popular deleted packages to prevent malicious actors from exploiting them.
Summary based on 7 sources
Get a daily email with more Tech stories
Sources
BleepingComputer • Sep 4, 2024
Revival Hijack supply-chain attack threatens 22,000 PyPI packagesThe Hacker News • Sep 4, 2024
Hackers Hijack 22,000 Removed PyPI Packages, Spreading Malicious Code to DevelopersDark Reading • Sep 4, 2024
'Revival Hijack' on PyPI Disguises Malware with Legitimate File NamesSC Media • Sep 5, 2024
Widespread PyPI package takeovers likely with new supply chain attack technique