https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
A novel supply chain attack technique targeting the Python Package Index (PyPI) registry has been identified and exploited in the wild. Dubbed “Revival Hijack,” the attack leverages the ability to re-register removed packages, potentially impacting thousands of downstream organizations.
Researchers at JFrog discovered that over 22,000 removed PyPI packages are vulnerable to this attack. These packages have been downloaded more than 100,000 times or have been active for over six months.
The attack technique exploits the fact that removed packages can be re-registered by any user. By creating a malicious version of a removed package with a higher version number, attackers can trick developers into installing it unknowingly. This is particularly concerning as many developers rely on the “pip install –upgrade” command to keep packages up-to-date.
JFrog has taken steps to mitigate the risk by hijacking vulnerable packages and replacing them with empty placeholders. However, the attack demonstrates the growing sophistication of supply chain attacks and the need for increased vigilance from organizations and developers.
To protect themselves, organizations and developers should inspect their DevOps pipelines for packages that have been removed from the repository. Additionally, staying updated on security advisories and best practices is crucial to mitigating supply chain risks.