A newly discovered PyPI hijack technique called “Revival Hijack” has been exploited in the wild, posing a significant threat to thousands of Python packages. Identified by JFrog’s security research team, the method takes advantage of a loophole in the PyPI software registry that allows attackers to re-register package names that have been removed by their original owners.
Jfrog researchers Andrey Polkovnichenko and Brian Moussalli said this technique has the potential to affect over 22,000 packages, putting countless systems at risk.
What is the “Revival Hijack” Technique?
The Revival Hijack method allows attackers to take control of package names that have been deleted from the PyPI registry. Unlike traditional typosquatting, which relies on users accidentally installing packages with names similar to popular ones, Revival Hijack doesn’t require the victim to make any mistakes. When a package is deleted, its name becomes available for anyone to register. Attackers can then publish a new, malicious version under the same name, making it seem like a legitimate update to unsuspecting users.
This method is particularly dangerous because many systems automatically update packages, assuming that previously safe software remains secure. In reality, these updates could introduce malicious code, compromising the systems that use them.
The Widespread Potential of the Attack
In their research, JFrog identified over 120,000 packages that could potentially be hijacked using this technique. After filtering out spam and considering only packages with significant usage, they found more than 22,000 packages at risk. The frequency of package removal from PyPI—about 309 packages per month—means the threat landscape continues to grow.
The Revival Hijack technique has already been used to hijack the “pingdomv3” package. While JFrog’s proactive measures prevented widespread damage, the incident underscores the vulnerability of open-source software registries like PyPI.
Far Reaching Implications
The implications of the Revival Hijack technique are far-reaching. Attackers could use this method to launch supply chain attacks, targeting organizations that rely on Python packages for their software development and deployment processes. By infiltrating these environments, bad actors could gain access to sensitive resources, leading to data breaches, system compromises, and other serious security incidents.
While JFrog has taken steps to protect the PyPI community by reserving vulnerable packages, the threat remains. Developers and organizations must stay vigilant and ensure their systems are not attempting to install packages that have been removed from the registry.
Securing Open-Source Software
The Revival Hijack technique highlights the ongoing challenges of securing open-source software repositories. As attackers continue to find new ways to exploit these platforms, it is crucial for the community to remain proactive in identifying and mitigating potential threats. The discovery of this technique serves as a reminder that even seemingly minor vulnerabilities can have significant consequences in the world of software development.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.