A new threat known as ‘Revival Hijack’ has emerged, targeting the Python Package Index (PyPI) repository [6]. This attack vector exploits a vulnerability in PyPI where removed legitimate packages can be re-registered with malicious ones.

Description

By hijacking abandoned package names on PyPI [3], attackers can distribute malware disguised as legitimate software, potentially infecting users who try to update or install these packages [3]. Security researchers at JFrog have demonstrated this vulnerability and have taken proactive measures to prevent significant damage, such as registering deleted projects under a security_holding name [8]. Over 120,000 removed packages on PyPI are vulnerable to this hijacking technique, highlighting the scale of the threat [3]. Unlike typosquatting [5] [9] [10], Revival Hijacking does not rely on user error during installation [10], making it particularly dangerous [1] [10]. A real-world analysis showed that this method could be used to hijack 22K existing PyPI packages [7], leading to malicious package downloads [4] [6] [7] [9]. The attack method was used to hijack the “pingdomv3” package [7], emphasizing the need for awareness and protection within the PyPI community [7]. Developers are advised to inspect their DevOps pipelines and exercise caution when upgrading to new package versions to avoid falling victim to the ‘Revival Hijack’ attack. Users are also advised to be cautious when downloading packages from PyPI until further security measures are implemented [8]. Threat actors have already exploited this vulnerability [2], with one instance involving the ‘pingdomv3’ package being used to distribute malware [2]. JFrog created a ‘security holding’ account to transfer the most downloaded abandoned packages and prevent further hijacking [2]. This tactic [1] [2], known as Revival Hijack [1] [2] [7], poses a significant risk as attackers can inject malware into seemingly legitimate packages [2], potentially gaining backdoor access to organizations [2]. To mitigate the risk of Revival Hijack attacks [1] [4], JFrog has created new Python projects with the names of popular deleted packages to prevent malicious actors from hijacking them [4]. Users and organizations can protect themselves by using package pinning [4], verifying package integrity [4], and monitoring for changes in package ownership or unusual update activity [4]. The “Revival Hijack” attack method targets PyPI software packages [5] [9], allowing attackers to hijack existing packages and potentially infect developers’ environments with malicious packages [5]. This attack relies on removed Python packages being available for registration by any user [5], with statistics showing that about 309 packages are removed each month [5]. Attackers can exploit this vulnerability to publish malicious packages with the same name and a higher version [5], posing a significant risk to the software supply chain [5]. While PyPI has safeguards against author impersonation and typosquatting [5], the Revival Hijack attack can replace real packages with bogus ones without warning [5], exposing developers to potential data theft [5]. JFrog created a new PyPI user account to prevent attackers from exploiting vulnerable packages and replace them with empty placeholders [5]. The attack has already been exploited in real-world settings [5], with an unknown attacker introducing a benign version of a package that later contained a payload to execute remote code [5]. Organizations and developers are advised to inspect their DevOps pipelines to prevent the installation of removed packages and protect against supply chain attacks [5]. The “Revival Hijack” attack targets PyPI software packages by manipulating the re-registration option for removed packages [9], potentially leading to malicious package downloads [6] [7] [9]. This attack is more profitable than typosquatting and can replace legitimate packages with fake ones without warning [9]. JFrog has taken steps to prevent exploitation of vulnerable packages and advises organizations to inspect their DevOps pipelines for removed packages [9]. The attack has already been exploited by cybercriminals [9], highlighting the need for vigilance and precautions within the PyPI community [7] [9].

Conclusion

The ‘Revival Hijack’ attack poses a significant risk to the PyPI community, with potential impacts on software supply chains and data security. Mitigations such as package pinning, integrity verification, and monitoring for ownership changes are recommended to protect against this threat. Continued vigilance and proactive measures are essential to prevent further exploitation of vulnerable packages and safeguard against future attacks.

References

[1] https://cualesmi-ip.com/blog/revival-hijack-en-pypi-disfraza-malware-con-nombres-de-archivos-legitimos/
[2] https://www.csoonline.com/article/3502920/thousands-of-abandoned-pypi-projects-could-be-hijacked-report.html
[3] https://www.darkreading.com/application-security/revival-hijack-on-pypi-disguises-malware-with-legitimate-file-names
[4] https://www.prsol.cc/2024/09/05/revival-hijack-supply-chain-attack-threatens-22000-pypi-packages/
[5] https://www.ruetir.com/2024/09/04/revival-hijack-new-attack-on-22000-pypi-packages/
[6] https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html
[7] https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
[8] https://pcper.com/2024/09/the-pypi-revival-hijack-attack-is-both-horrible-and-incredibly-embarassing/
[9] https://pledgetimes.com/revival-hijack-new-attack-on-22000-pypi-packages/
[10] https://www.computerweekly.com/news/366609663/PyPI-loophole-puts-thousands-of-packages-at-risk-of-compromise