Security Researchers Uncover Threat of Malicious Payloads via PyPI Revival Hijack

Security researchers have uncovered a devious tactic that enables attackers to distribute malicious payloads through the PyPI package repository. Dubbed the “Revival Hijack” method, this technique involves re-registering a malicious package on PyPI using the same name as a previously registered but now removed legitimate package. Subsequently, unsuspecting organizations download these rogue packages, unaware of the potential threat they pose.

JFrog researchers issued a warning this week, urging PyPI users to remain vigilant and ensure their CI/CD machines do not attempt to install packages that were once removed from the repository. The researchers recently observed a threat actor employing this tactic in an apparent effort to disseminate malware.

This method is just one of several tactics that cyber adversaries have employed in recent years to infiltrate enterprise environments through public code repositories such as PyPI. Other common tactics include cloning and infecting popular repositories, poisoning artifacts, leveraging leaked secrets, and typosquatting attacks.

According to JFrog, when a developer removes a project from PyPI, the associated package names become immediately available for anyone to use. This provides attackers with an easy opportunity to hijack these package names and potentially infect unsuspecting users who try to update or install the “new” versions.

In response to their findings, JFrog researchers hijacked the most popular abandoned packages on PyPI to prevent adversaries from misusing them. Despite their efforts, the threat of Revival Hijack remains pervasive, highlighting the need for stronger security measures on the PyPI repository. JFrog recommended that PyPI prohibit the reuse of abandoned package names to mitigate this threat effectively. Organizations using PyPI are advised to exercise caution when upgrading to new package versions to avoid falling victim to these malicious tactics.