September 4, 2024 at 09:49AM
Threat actors are exploiting the “Revival Hijack” attack to register new PyPi projects using names of previously deleted packages, potentially leading to malicious package downloads. Recently leveraged in the wild, this technique highlights the need for developers to take action to mitigate this threat, including using package pinning and verifying package integrity. JFrog researchers have taken steps to reserve abandoned package names and prevent their misuse.
From the meeting notes, I have gathered the following key points:
– Threat actors are conducting supply chain attacks using an attack vector known as “Revival Hijack,” where they register new PyPi projects with the names of previously deleted packages.
– This technique could lead to malicious code being pushed to developers pulling updates, potentially impacting 22,000 existing PyPI packages and resulting in hundreds of thousands of malicious package downloads.
– PyPI makes the names of deleted Python projects immediately available for registration, making the Revival Hijack attack possible.
– JFrog researchers took action to mitigate the risk by creating new Python projects with the names of the most popular deleted packages and registered them to prevent malicious actors from hijacking them.
– Users and organizations can mitigate the threat by using package pinning, verifying package integrity, auditing its contents, and looking out for changes in package ownership or atypical update activity.
Please let me know if you need any additional information or if there are specific action items to be taken based on these meeting notes.