A new software supply chain attack is making waves in the cybersecurity world, with researchers discovering its exploitation in the wild. This attack, known as the “Revival Hijack,” targets Python applications distributed via the popular Python Package Index (PyPI).

Security specialists at JFrog have identified that this technique could potentially impact 22,000 existing Python packages, leading to millions of downloads of infected code. The Revival Hijack takes advantage of a security vulnerability that arises when authors delete projects from the PyPI repository.

When a developer removes a package from PyPI, the package name becomes available for anyone to register. Hackers can capitalize on this by hijacking the package name and using it to distribute malicious code.

A New Era of Supply Chain Attacks

The Revival Hijack represents a shift in supply chain attack strategies, as it targets unsuspecting victims who may unknowingly update a “once safe” package. This poses a significant risk, especially as CI/CD machines are often configured to install package updates automatically.

Unlike previous attacks that relied on human error, the Revival Hijack leverages the trust that developers place in package repositories. In their research, JFrog’s team successfully replicated the attack by creating an imposter package with the same name but different code. Shockingly, their tests revealed that these “safely hijacked” packages were downloaded 200,000 times in just three months.

Brian Moussalli, Research Team Leader at JFrog, emphasized the real-world impact of this attack: “The Revival Hijack is not just a theoretical threat – our research team has already observed it being exploited in the wild.”

Urgent Warning for Developers

The JFrog researchers have sounded the alarm on infected code infiltrating repositories through tactics like the Revival Hijack. They urge developers to be cautious and advocate for a stricter policy that prevents reused package names in PyPI.

Michael Clark, Director of Threat Research at Sysdig, highlights the importance of vigilance when utilizing code repositories like PyPI: “Repositories pose a significant security challenge as they are often blindly trusted by developers. The Revival Hijack attack underscores the need for thorough static and runtime analysis of dependencies to thwart potential threats.”