Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Researchers at JFrog have uncovered a Revival Hijack supply chain attack that could be used to hijack 22,000 existing PyPI packages and lead to hundreds of thousands of malicious package downloads.
Attackers in Revival Hijack register new PyPi projects, using the names of previously deleted packages to carry out supply chain attacks and deliver malicious code to developers who extract updates.
Developers who decide to remove a project from PyPI only receive a warning about the possible consequences, including the Revival Hijack attack scenario, since the project name will then quickly become available to any other PyPI user.
The user who grabbed the name will be able to release new versions under the same project name if the file names of the distribution do not match the file names of the previously released distribution.
According to JFrog researchers, there are now more than 22,000 dropped packages on PyPI that are vulnerable to the Revival Hijack attack, and some of them are quite popular.
The researchers claim that the average monthly number of packages removed on PyPI averages 309, indicating a constant stream of new opportunities for attackers.
In mid-April, JFrog discovered, discovered that Revival Hijack was already in use in real-world conditions when the threat actor targeted pingdomv3 – an implementation of the Pingdom API's website monitoring service.
The package was removed on March 30, and the new developer hijacked the name and published an update on the same day, indicating that the attackers were aware of the problem.
In a subsequent update, the package included a Python Trojan that was disguised with Base64 and targeted Jenkins CI/CD environments.
JFrog researchers have taken steps to mitigate the risk of Revival Hijack attacks by creating new Python projects with the names of the most popular packages that have already been removed.
JFrog explains that PyPI maintains a closed blacklist that implements a ban on the registration of certain names in new projects, but most of the removed packages do not fall into this list.
This prompted researchers to take measures to mitigate the Revival Hijack threat by registering the most popular of the deleted/vulnerable packages under an account named security_holding and changing the version numbers to 0.0.0.1.
Notably, three months later, the packages in the repository had around 200,000 downloads due to automated scripts and user typos.
Attackers in Revival Hijack register new PyPi projects, using the names of previously deleted packages to carry out supply chain attacks and deliver malicious code to developers who extract updates.
Developers who decide to remove a project from PyPI only receive a warning about the possible consequences, including the Revival Hijack attack scenario, since the project name will then quickly become available to any other PyPI user.
The user who grabbed the name will be able to release new versions under the same project name if the file names of the distribution do not match the file names of the previously released distribution.
According to JFrog researchers, there are now more than 22,000 dropped packages on PyPI that are vulnerable to the Revival Hijack attack, and some of them are quite popular.
The researchers claim that the average monthly number of packages removed on PyPI averages 309, indicating a constant stream of new opportunities for attackers.
In mid-April, JFrog discovered, discovered that Revival Hijack was already in use in real-world conditions when the threat actor targeted pingdomv3 – an implementation of the Pingdom API's website monitoring service.
The package was removed on March 30, and the new developer hijacked the name and published an update on the same day, indicating that the attackers were aware of the problem.
In a subsequent update, the package included a Python Trojan that was disguised with Base64 and targeted Jenkins CI/CD environments.
JFrog researchers have taken steps to mitigate the risk of Revival Hijack attacks by creating new Python projects with the names of the most popular packages that have already been removed.
JFrog explains that PyPI maintains a closed blacklist that implements a ban on the registration of certain names in new projects, but most of the removed packages do not fall into this list.
This prompted researchers to take measures to mitigate the Revival Hijack threat by registering the most popular of the deleted/vulnerable packages under an account named security_holding and changing the version numbers to 0.0.0.1.
Notably, three months later, the packages in the repository had around 200,000 downloads due to automated scripts and user typos.
