September 4, 2024 at 09:18AM
A new supply chain attack technique, Revival Hijack, targets the Python Package Index (PyPI), allowing for hijacking of over 22,000 existing PyPI packages. Attackers can publish malicious packages under the same name and a higher version, posing a significant risk to developers. The attack has already been exploited, emphasizing the need for vigilance and preventive measures.
Based on the meeting notes, the key takeaways are as follows:
– A new supply chain attack technique called Revival Hijack has been discovered, which targets the Python Package Index (PyPI) registry, aiming to infiltrate downstream organizations.
– The attack method allows for the hijacking of existing PyPI packages and could potentially result in a large number of malicious package downloads.
– JFrog’s security researchers highlighted that the attack involves manipulating the re-registration option for removed PyPI software packages, ultimately allowing the publication of malicious packages under the same name and a higher version to infect developer environments.
– While PyPI has safeguards against author impersonation and typosquatting, the analysis by JFrog revealed that certain commands such as “pip list –outdated” and “pip install –upgrade” can list the counterfeit package as a new version of the original package and replace the actual package with the phony one without proper warning.
– JFrog took steps to mitigate the risk by creating a new PyPI user account called “security_holding” to safely hijack susceptible packages and replace them with empty placeholders.
– The attack has already been exploited in the wild, with an unknown threat actor called Jinnis introducing a benign version of a package named “pingdomv3,” subsequently releasing an update containing a Base64-encoded payload that executes an unknown next-stage module retrieved from a remote server.
– The new attack signifies that threat actors are increasingly targeting deleted PyPI packages to expand the reach of their campaigns, emphasizing the need for organizations and developers to inspect their DevOps pipelines to ensure they are not installing removed packages.
The discovery of the Revival Hijack technique underscores the critical importance of vigilance and precaution within the PyPI community and highlights the continually growing attack surface in the PyPI package ecosystem.