Sep 04, 2024Ravie Lakshmanan
A new supply chain attack technique has emerged, targeting the Python Package Index (PyPI) registry, with real-world exploits attempting to infiltrate downstream organizations.
Dubbed Revival Hijack by software supply chain security firm JFrog, this attack method could potentially compromise 22,000 existing PyPI packages, leading to “hundreds of thousands” of malicious package downloads. The vulnerable packages are those with more than 100,000 downloads or have been active for over six months.
According to JFrog security researchers Andrey Polkovnychenko and Brian Moussalli, the attack involves hijacking PyPI software packages by re-registering them once they’re removed from PyPI’s index by the original owner. This opens the door for exploitation and poses a significant risk to the community.
PyPI packages may get removed for various reasons, leaving their names open for re-registration by any user. This creates a unique opportunity for bad actors to inject malicious packages under the guise of legitimate ones.
Statistics indicate that an average of 309 packages are removed each month from PyPI, providing a fertile ground for potential abuse. Despite safeguards in place, such as preventing author impersonation and typosquatting, there are loopholes that threat actors can exploit.
JFrog’s analysis highlighted that executing common commands like “pip list –outdated” and “pip install –upgrade” could inadvertently replace genuine packages with fraudulent ones, posing a severe risk to developers.
To combat this threat, JFrog created a new PyPI user account named “security_holding” to preemptively hijack susceptible packages and replace them with benign versions to thwart malicious attempts.
One concerning incident involved an unknown threat actor introducing a benign version of a package into PyPI, only to later update it with a payload that could execute malicious code on the target environment.
This alarming trend indicates a shift towards supply chain attacks on a larger scale, underscoring the need for heightened vigilance among organizations and developers. It is imperative to review DevOps pipelines to ensure that removed packages are not inadvertently installed.
As highlighted by Moussalli, users must remain vigilant and take proactive measures to safeguard against hijack techniques in the PyPI community amidst an evolving threat landscape.