Revival Hijack: How Abandoned PyPI Package Names Are Being Exploited to Deliver Malware

Introduction

Security researchers have uncovered a novel and concerning method for cybercriminals to distribute malware using public code repositories. Known as "Revival Hijack," this technique involves the re-registration of previously abandoned package names on the PyPI repository. By taking advantage of the fact that PyPI allows the reuse of names from removed packages, attackers are able to slip malicious code into unsuspecting organizations. This discovery sheds light on the vulnerabilities present in widely used software ecosystems and highlights the need for robust digital threat scoring and brand protection strategies.

How the Revival Hijack Attack Works

The Revival Hijack method capitalizes on the reuse of package names that were once available on PyPI but later removed. Adversaries register new packages under these abandoned names, mimicking legitimate versions that developers might have relied on in the past. By simply updating or downloading what they believe to be a safe package, users unknowingly install malware.

This technique is different from typical attacks such as typosquatting, where minor variations of popular package names are used to trick developers into downloading malicious software. The danger of Revival Hijack lies in its ability to exploit a practice considered routine—updating a package to its latest version.

Exploiting the Software Supply Chain

Once attackers hijack an abandoned package, they can introduce malware into an organization’s continuous integration and deployment (CI/CD) systems. According to researchers at JFrog, this can open the door to a wide range of supply chain attacks, as many CI/CD pipelines automatically install updated versions of packages without thorough scrutiny.

Organizations utilizing public code repositories like PyPI are at risk of inadvertently incorporating compromised code into their software projects. This makes Revival Hijack a significant threat to enterprise environments that rely on these repositories for open-source components.

The Scale of the Threat

JFrog’s analysis revealed just how widespread this vulnerability could be. The researchers identified approximately 120,000 packages on PyPI that had been removed and could be easily hijacked by attackers. Narrowing the focus to more active packages that had been used extensively, the number still stood at a staggering 22,000. These findings point to the potential for widespread exploitation if measures are not taken to protect these abandoned package names.

To demonstrate the severity of this threat, JFrog researchers "hijacked" several popular abandoned packages, replacing them with empty versions that had a version number of 0.0.0.1 to ensure no one would accidentally install them. Despite this precaution, the empty packages still received nearly 200,000 downloads in a three-month period—evidence of just how vulnerable the ecosystem is to this attack vector.

Protecting Against Revival Hijack

Preventing Revival Hijack requires proactive measures from both code repository maintainers and the organizations that use them. JFrog has recommended that PyPI introduce stricter controls, such as prohibiting the reuse of package names once they have been removed. This would prevent attackers from capitalizing on abandoned packages to launch malware attacks.

For organizations, vigilance is key. It's essential to carefully monitor and evaluate the packages being used, particularly when upgrading to new versions. Employing compromised data tracking and online risk evaluation can help identify suspicious activity and mitigate the risk of malware infiltrating software supply chains. Additionally, the use of darknet monitoring services and digital footprint analysis tools can provide valuable insights into potential vulnerabilities.

Conclusion

The discovery of the Revival Hijack technique highlights the evolving nature of software supply chain attacks. By taking advantage of abandoned package names, cybercriminals are able to inject malicious code into enterprise environments with relative ease. As organizations continue to rely on public code repositories like PyPI, it’s crucial to remain vigilant and adopt advanced brand protection and digital threat scoring strategies. With more than 120,000 packages at risk, the potential for widespread exploitation is real, and taking proactive steps now can prevent future attacks.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.