In an alarming discovery, cybersecurity researchers at JFrog have brought to light a new supply chain attack technique that puts over 22,000 software packages on the Python Package Index (PyPI) at risk. This technique, named “Revival Hijack,” exploits a policy loophole that allows attackers to re-register and take over package names once they have been removed from PyPI by the original developers.
Unlike traditional typosquatting attacks that rely on users misspelling package names, Revival Hijack takes advantage of popular packages being removed and then re-registered by attackers. This allows these malicious actors to upload harmful versions of the packages, which unsuspecting users may download and install, thinking they are legitimate.
JFrog’s technical analysis uncovered that more than 22,000 PyPI packages were vulnerable to the Revival Hijack attack, posing a serious threat to hundreds of thousands of users who could unknowingly download harmful software.
To demonstrate the effectiveness of the Revival Hijack attack, JFrog conducted a controlled experiment. They created and published a package, removed it, and then re-registered it under a different user. This experiment illustrated how the new, imposter package appeared as a legitimate update without any warnings from the package manager.
In a real-world scenario on April 12, 2024, JFrog’s systems detected suspicious activity related to the ‘pingdomv3’ package, which had been taken over by a new owner. This new owner released an innocuous update followed by a version containing a suspicious, Base64-obfuscated payload. Immediate action was taken, and the malicious package was removed by PyPI maintainers.
The proactive measures employed by JFrog’s research team successfully prevented significant damage from occurring. However, despite these protective measures, thousands of downloads of the reserved packages within a short period indicated a high risk of supply chain attacks.
Security researcher Henrik Plate from Endor Labs emphasized that the risk posed by Revival Hijack depends on the popularity of the package and highlighted the importance of stringent security guidelines for package registries. He recommended using internal package registries that mirror open-source packages and require a vetting process for new versions of revived packages to mitigate the inclusion of malicious code.
JFrog has reported the issue to PyPI’s security team and advocates for stricter policies to prevent package names from being reused. Users are also advised to remain vigilant and ensure their CI/CD systems do not attempt to install packages that have been removed from PyPI.
Overall, the Revival Hijack technique exposes a critical vulnerability in PyPI’s ecosystem, underscoring the need for enhanced security measures to protect users from supply chain attacks. By raising awareness about this issue and implementing robust security protocols, the cybersecurity community can strengthen the resilience of software supply chains against malicious threats.