Revival Hijack Supply-Chain-Angriff bedroht 22.000 PyPI-Pakete

Teilen:

Threat actors are utilizing an attack called “Revival Hijack,” where they register new PyPi projects using the names of previously deleted packages to conduct supply chain attacks.

The technique “could be used to hijack 22K existing PyPI packages and subsequently lead to hundreds of thousands of malicious package downloads,” the researchers say.

Hijacking popular projects

“Revival Hijack” is an attack vector that involves registering a new project with the name of a package that has been removed from the PyPI platform. By doing so, a threat actor could push malicious code to developers pulling updates.

The attack is possible because PyPI makes immediately available for registration the names of deleted Python projects.

Revival Hijack attack flow
Revival Hijack attack flow
Source: JFrog

Developers who decide to delete a project from PyPI only receive a warning about the potential consequences, including the Revival Hijack attack scenario.

“Deleting this project will make the project name available to any other PyPI user,” cautions the dialog.

“This user will be able to make new releases under this project name, so long as the distribution filenames do not match filenames from a previously released distribution.”

According to researchers at JFrog, a software supply chain platform, there are more than 22,000 deleted packages on PyPI that are vulnerable to the Revival Hijack attack, and some of them quite popular.

The researchers say that the monthly average of packages deleted on PyPI is 309, indicating a steady stream of fresh opportunities for attackers.

Monthly package removal stats
Monthly package removal stats
Source: JFrog

JFrog says that a developer may decide to remove their package for a variety of reasons that range from the script no longer being needed to re-writing a tool and publishing it under a new name.

In some cases, the package becomes redundant because its functionality is introduced in official libraries or built-in APIs.

The case of “pingdomv3”

In mid-April, JFrog observed Revival Hijack leveraged in the wild, when a threat actor targeted the “pingdomv3” – an implementation of the Pingdom API website monitoring service.

The package was deleted on March 30 but a new developer hijacked the name and published an update on the same day, indicating that the attackers knew about the issue.

In a subsequent update, the package included a Python trojan that was obfuscated using Base64 and targeted Jenkins CI/CD environments.

Attack timeline
Attack timeline
Source: JFrog

JFrog leaps to the rescue

JFrog researchers took action to mitigate the risk of Revival Hijack attacks by creating new Python projects with the names of most popular already deleted packages.

JFrog explains that PyPI maintains a non-public blocklist that prevents certain names from being registered on new projects, but most deleted packages don’t make it on that list.

This led the security firm to take indirect action to mitigate the “Revival Hijack” threat and registered the most popular of the deleted/vulnerable packages under an account named security_holding.

The abandoned packages are empty, and the researchers changed the version numbers to 0.0.0.1, to make sure that active users don’t pull an update.

This action essentially reserves the package names and prevents malicious actors from hijacking them for nefarious purposes.

Three months later, JFrog noticed that the packages in their repository had close to 200,000 downloads from automated scripts and user mistypes.

The case of “Revival Hijack” is far more dangerous than the standard typosquatting attacks on PyPI, as users pulling an update for their selected projects don’t make a mistake.

To mitigate the threat, users and organizations can use package pinning to stay on specified, known to be trustworthy versions, verify package integrity, audit its contents, and look out for changes in package ownership or atypical update activity.

Bill Toulas

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
10:35 am, Jan. 24, 2025
Wetter-Symbol 10°C
L: 9° | H: 11°
overcast clouds
Luftfeuchtigkeit: 79 %
Druck: 996 mb
Wind: 19 mph WSW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 97%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 7:49 am
Sonnenuntergang: 4:35 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
9° | 11°°C 0.8 mm 80% 16 mph 79 % 1001 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
3° | 6°°C 1 mm 100% 9 mph 94 % 1009 mb 2.83 mm/h
So. Jan. 26 9:00 pm
Wetter-Symbol
3° | 8°°C 1 mm 100% 18 mph 97 % 1008 mb 0 mm/h
Mo. Jan. 27 9:00 pm
Wetter-Symbol
4° | 6°°C 1 mm 100% 17 mph 90 % 987 mb 0 mm/h
Di. Jan. 28 9:00 pm
Wetter-Symbol
5° | 7°°C 1 mm 100% 13 mph 96 % 999 mb 0 mm/h
Today 12:00 pm
Wetter-Symbol
9° | 10°°C 0.8 mm 80% 16 mph 79 % 997 mb 0 mm/h
Today 3:00 pm
Wetter-Symbol
8° | 10°°C 0 mm 0% 13 mph 71 % 998 mb 0 mm/h
Today 6:00 pm
Wetter-Symbol
6° | 8°°C 0 mm 0% 8 mph 66 % 1000 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
6° | 6°°C 0 mm 0% 6 mph 68 % 1001 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
5° | 5°°C 0 mm 0% 5 mph 85 % 1000 mb 0 mm/h
Tomorrow 3:00 am
Wetter-Symbol
5° | 5°°C 0 mm 0% 4 mph 93 % 998 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
5° | 5°°C 0.52 mm 52% 3 mph 94 % 998 mb 0 mm/h
Tomorrow 9:00 am
Wetter-Symbol
3° | 3°°C 1 mm 100% 9 mph 84 % 1003 mb 2.83 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€100,200.62
3.17%
Ethereum(ETH)
€3,233.70
5.76%
XRP(XRP)
€3.03
2.37%
Fesseln(USDT)
€0.95
0.06%
Solana(SOL)
€251.07
6.68%
Dogecoin(DOGE)
€0.341548
2.31%
USDC(USDC)
€0.95
0.00%
Shiba Inu(SHIB)
€0.000019
1.14%
Pepe(PEPE)
€0.000014
4.27%
Peanut das Eichhörnchen(PNUT)
€0.330956
-4.27%
Nach oben scrollen