New vulnerability targeting PyPI has been discovered
New PyPI Vulnerability Discovered
A new supply chain attack technique, named Revival Hijack by security firm JFrog, has emerged targeting the Python Package Index (PyPI) registry. This method exploits the possibility of re-registering Python packages that have been removed from the PyPI index by their original owners. The attack can hijack up to 22,000 existing packages with high download counts or long-term activity, leading to potential malicious downloads affecting hundreds of thousands of developers.
The technique involves attackers using the names of deleted packages to publish malicious versions under the same names, exploiting developers' trust in package updates. The method is more effective than typosquatting because it doesn't rely on user mistakes but rather takes advantage of routine update operations.
JFrog’s analysis reveals that while PyPI has safeguards against author impersonation, the Revival Hijack technique can still trick users by presenting the malicious package as an updated version of the original. This issue was highlighted when a benign package was replaced with a malicious one on March 30, 2024, which later delivered a payload targeting specific environment variables. JFrog has intervened by creating placeholder packages with version 0.0.0.1 to mitigate the risk.
The incident underscores the growing threat of supply chain attacks targeting package registries, emphasizing the need for developers to carefully manage and review their dependencies to protect against such vulnerabilities.
Vulnerabilities like these are exactly what we're here to prevent. Protean will allow the user to quickly identify these and easily remedy the situation in real time as it is discovered. Check out our free trial at Protean Labs.