Researchers at JFrog have recently discovered a PyPI supply chain attack technique being exploited in the wild, dubbed “Revival Hijack”. This technique can be used to hijack Python packages hosted on PyPI by manipulating the option to re-register(revive) their names once the owner takes them down.
A package repository is a centralized storage location for software packages, which are pre-compiled files that contain all the necessary components to install and run software applications.
PyPI is Python’s package repository.
A Python package is a way to organize and structure related Python code into reusable components.
Open-source repositories have long been targets of exploitation by hackers owing to the public availability of their source code and widespread use within major corporations. One of the most popular attack vectors on users of open-source repositories is typosquatting wherein attackers slightly alter the names of popular repositories hoping to trick developers into installing these deceptive packages. This vector relies heavily on human error, making it all but obsolete in the modern day when developers have advanced development environments that aid them in identifying unsafe packages. But what if the name of a deceptive package were exactly the same as the legitimate package it was trying to mimic? This is what revival hijacking enables hackers to accomplish.
The technique itself hinges on the fact that when developers remove their projects from PyPI, the associated package names immediately become available for registration by any other user. This means that once a popular project is deleted, attackers can easily hijack the package’s name and subsequently infect any user who tries to install or update that package to the latest version.
What makes revival hijacking such a powerful technique is that it does not rely on human error. The malicious package uses the exact name and likeness of the package it wants to mimic. Due to the reputation of the original package, most people would update it without checking the package for malicious code.
The researchers were able to find 22,000 popular packages that were susceptible to being revival hijacked. They have since safely hijacked the most susceptible package names and replaced them with empty packages to prevent hackers from taking advantage of them.
So, how can you avoid falling prey to techniques like this one? Here are two classes of victims that are most susceptible to this attack technique:
- People updating a “once safe” package to its latest version, viewing it as a safe operation (although it isn’t!)
- CI/CD machines that are already set up to install these packages automatically
Make sure you are not one of them. Always check what you’re installing, be it an update or a new installation, do not rely on reputation alone. Dive deep, do your research. Stay informed, Stay secure.
Until next time.