Up to 22,000 PyPI packages may be at risk of being hijacked in a newly-developed supply chain attack technique, research reveals.
Security researchers at devops specialist JFrog published a blog warning developers about a new attack technique that leverages the ability to re-register popular packages once the original owner removes them from PyPI’s index.
Dubbed ‘Revival Hijack’, the technique builds on a popular attack vector used to target open source software repositories, ‘typosquatting’, whereby hackers register packages names that are almost identical to popular ones used in thousands of applications.
Often only changing one letter, developers can accidentally install the malicious package if not paying close attention to its name.
Relying on human error, the efficacy of this type of attack has decreased somewhat as developers have become more aware of the technique, and modern developer environments began introducing mitigations to neutralize the threat.
Revival Hijack, however, takes advantage of the fact that when developers remove their projects from the PyPI repository, their names become immediately available.
This presents an opening where threat actors can quickly upload their own malicious package under the same name, and wait for unaware developers, or CI/CD systems to download them.
JFrog noted that the only safeguard to protect developers from inadvertently downloading malicious packages is a dialogue box that warns the original developer about the potential consequences of removing the package.
One of blog’s authors, Brian Moussalli, leader of malware research at JFrog, warned this technique is already being exploited in the wild, providing an example of the ‘pingdomv3’ package being hijacked by threat actors.
He added this is just the latest technique in an ever complexifying PyPI package attack surface.
“The PyPI package attack surface is continually growing. Despite proactive intervention here, users should always stay vigilant and take the necessary precautions to protect themselves and the PyPI community from this hijack technique.”
“Extremely powerful” PyPI attack doesn’t rely on human error
Moussalli and his coauthor, Andrey Polkovnichenko, security researcher at JFrog, labeled the attack as “extremely powerful”, offering three justifications for this description.
Firstly, unlike previous techniques like typosquatting, the attack doesn’t rely on the victim making a mistake when installing the package.
In addition, most developers consider updating a ‘once safe’ package to its latest version to be a risk free operation, not understanding this latest version could be from a different developer, and potentially malicious.
Finally, Moussalli and Polkovnichenko noted that many CI/CD machines are configured to install these packages automatically, meaning they could be loading malware onto your system without a human ever being in the loop.
Henrik Plate, security researcher at Endor Labs, stressed the risk this attack vector poses to end-users is very real, but does depend on the popularity of the package and the interval between the original being taken down, as well as the malicious package being uploaded.
“This risk is real, and depends on the popularity of the package. The risk probably decreases if packages have been deleted a long time ago, because the longer a package has been taken down, the more developers and pipelines have noticed its unavailability and adapted their dependency declarations.”
Plate referenced the example of ‘pingdomv3’ provided by Moussalli and Polkovnichenko, noting the speed with which the attacker was able to upload a decoy package under the same name.
“In this context, it is noteworthy that the example provided was revived just shortly after the deletion, which could indicate that the attacker monitored package deletions on PyPI.”
