September 4, 2024 at 04:43PM
Security researchers have discovered a concerning method for attackers to distribute malicious payloads through the PyPI package repository. By re-registering a removed package with the same name, adversaries can pass off rogue packages as legitimate ones. This “Revival Hijack” method poses a clear threat, with 120,000 abandoned packages susceptible to misuse. JFrog recommends vigilance and stricter policies to prevent this attack vector.
The meeting notes summarize a significant security threat referred to as the “Revival Hijack” method, which involves attackers re-registering malicious packages on the PyPI package repository using the same names as previously legitimate but now removed packages. This allows adversaries to distribute malware by tricking organizations into downloading these rogue packages, exploiting the fact that PyPI does not restrict the reuse of names of removed packages.
JFrog researchers have identified this technique as a form of supply chain attack and have cautioned PyPI users to remain vigilant and ensure that their CI/CD machines do not attempt to install packages that were previously removed from PyPI. The method is particularly concerning because it does not rely on user error and can effectively deliver malware to enterprise environments.
The researchers also found that a large number of removed packages on PyPI, totaling approximately 120,000, are susceptible to being hijacked for malicious purposes. Additionally, they demonstrated that even after replacing the most popular abandoned packages with empty ones, these empty packages still received significant numbers of automatic and manual downloads.
JFrog has recommended that PyPI prohibit the reuse of abandoned package names altogether to prevent adversaries from exploiting this attack vector. Organizations using PyPI are also urged to be cautious when upgrading to new package versions to mitigate the risk of falling victim to the Revival Hijack method.
In summary, the meeting notes highlight the urgency of addressing the Revival Hijack threat to ensure the security of the PyPI package repository and the organizations using it.