Friend
Professional
- Messages
- 2,653
- Reaction score
- 848
- Points
- 113
The new attack method turns safe packets into malware.
The JFrog team discovered a new method of attacking the software supply chain that was used against PyPI packages. The method, called "Revival Hijack", is based on the ability to re-register deleted packages. The attack consists in the fact that after the package is removed from the platform, its name becomes available for registration to other users, which allows attackers to hijack popular packages and distribute malware.
The study showed that about 22,000 existing packages could be captured in this way, which could lead to hundreds of thousands of downloads of malicious versions. However, JFrog managed to prevent significant damage before cybercriminals could exploit the vulnerability on a large scale.
In the case of PyPI, one of the platform's most vulnerable points is the package drop policy. As soon as the project is deleted, its name immediately becomes available for re-registration. Users are not warned that the package has been deleted. This mechanism makes the Revival Hijack method particularly dangerous, as users can update (once safe) packages without knowing that they have already been hijacked by attackers.
Package Delete Dialog
One such example is the "pingdomv3" package, which was intercepted and used to distribute malicious code. After capturing the package, the hackers injected malicious code that was executed when the package was installed or updated. However, the code was quickly discovered and removed.
During the experiment, the JFrog team tested this method by creating test packages and capturing them after removal. The results showed that the PyPI system does not recognize changes in package authorship, which allows attackers to easily replace removed versions with their own without triggering any warnings when updating.
Revival Hijack Attack Chain
To prevent attacks, the JFrog team reserved more than 22,000 packets using a special account by uploading safe, empty versions of the packages. Thus, it was possible to protect the PyPI community from threats associated with this type of attack. However, the team emphasizes that users should remain careful and avoid installing packages that have been removed to minimize the risk.
Source
The JFrog team discovered a new method of attacking the software supply chain that was used against PyPI packages. The method, called "Revival Hijack", is based on the ability to re-register deleted packages. The attack consists in the fact that after the package is removed from the platform, its name becomes available for registration to other users, which allows attackers to hijack popular packages and distribute malware.
The study showed that about 22,000 existing packages could be captured in this way, which could lead to hundreds of thousands of downloads of malicious versions. However, JFrog managed to prevent significant damage before cybercriminals could exploit the vulnerability on a large scale.
In the case of PyPI, one of the platform's most vulnerable points is the package drop policy. As soon as the project is deleted, its name immediately becomes available for re-registration. Users are not warned that the package has been deleted. This mechanism makes the Revival Hijack method particularly dangerous, as users can update (once safe) packages without knowing that they have already been hijacked by attackers.
Package Delete Dialog
One such example is the "pingdomv3" package, which was intercepted and used to distribute malicious code. After capturing the package, the hackers injected malicious code that was executed when the package was installed or updated. However, the code was quickly discovered and removed.
During the experiment, the JFrog team tested this method by creating test packages and capturing them after removal. The results showed that the PyPI system does not recognize changes in package authorship, which allows attackers to easily replace removed versions with their own without triggering any warnings when updating.
Revival Hijack Attack Chain
To prevent attacks, the JFrog team reserved more than 22,000 packets using a special account by uploading safe, empty versions of the packages. Thus, it was possible to protect the PyPI community from threats associated with this type of attack. However, the team emphasizes that users should remain careful and avoid installing packages that have been removed to minimize the risk.
Source
