If you're using Python packages in your projects, you’ve probably heard about vulnerabilities within the Python Package Index (PyPI), but what does this mean for your business? More importantly, what should you do about it?
A recent supply chain attack has highlighted a vulnerability within PyPI, which could potentially expose 22,000 previously removed packages to malicious activity. At Justice IT Consulting, we’re here to answer your most pressing questions about this new attack technique, known as Revival Hijack, and what it means for your software supply chain security.
- What is Revival Hijack?
Revival Hijack is a new attack method discovered by JFrog’s security team. This technique allows attackers to exploit previously removed PyPI packages, effectively hijacking them and making them available for re-registration under a new name. This means that packages once considered safe could be republished with malicious code, all while appearing to be legitimate updates.
In their report, JFrog outlined that over 22,000 packages are at risk. Many of these packages have been downloaded hundreds of thousands of times or have been active for over six months, making them an attractive target for attackers aiming to compromise development environments.
- How Does Revival Hijack Work?
The attack leverages a loophole in the way PyPI handles removed packages. Once a package is deleted by its original owner, it becomes available for registration by a new user. An attacker can re-register the same package name and publish it with a malicious version, often a higher version number, tricking users into believing it’s a safe update.
The alarming part? Many developers might not even notice the change. Running standard commands like pip install –upgrade or pip list --outdated could install these malicious packages without any indication that the package’s ownership has changed.
- Why Should I Be Concerned?
If you’re using Python packages in your DevOps pipeline or production environments, this attack could directly impact your software’s security and integrity. Once an attacker hijacks a package, they could introduce malicious code that targets specific environments, retrieves sensitive data, or disrupts your system’s functionality.
For businesses subject to CMMC 2.0 compliance or other stringent security regulations, these types of vulnerabilities could result in non-compliance, failed audits, or even data breaches. Ensuring your software supply chain is secure is critical to avoiding these risks.
- Has Revival Hijack Been Exploited in the Wild?
Yes, Revival Hijack has already been exploited. One notable example is the hijacking of the package “pingdomv3” by a threat actor known as Jinnis. After the original developer removed the package from PyPI, Jinnis republished it with a new version containing a Base64-encoded payload. This payload searched for the “JENKINS_URL” environment variable and, if found, executed additional code from a remote server.
This incident underscores the growing threat of software supply chain attacks and the need for vigilance in monitoring package integrity.
- What Can I Do to Protect My Organization?
At Justice IT Consulting, we recommend the following steps to mitigate the risk of Revival Hijack in your software environment:
- Monitor package changes: Regularly inspect the packages in your DevOps pipelines for any unexpected updates, especially those that may have been recently removed and re-registered.
- Use strict version control: Instead of updating packages blindly, specify exact versions of the libraries you trust and audit them regularly.
- Implement security best practices: Stay vigilant by utilizing tools that track changes in package authorship and validate package integrity.
- Utilize risk assessments: We offer a free cybersecurity risk assessment to help you identify vulnerabilities in your software supply chain.
- What Should I Do if I Find a Suspicious Package?
If you discover a package that seems suspicious, follow these steps:
- Investigate its version history: Check if the package has been removed and re-registered recently.
- Verify the author: Ensure that the package’s current author matches the original one, and that the update has not introduced any unexpected functionality.
- Remove the package if necessary: If you suspect a package has been compromised, immediately stop using it, remove it from your systems, and replace it with a verified, secure alternative.
Stay Ahead of Software Supply Chain Threats
Ensuring your DevOps pipeline and software supply chain remain secure is more important than ever. At Justice IT Consulting, we help businesses protect themselves from evolving cybersecurity threats like Revival Hijack.
Schedule a free 10-minute discovery call with our team today to discuss how we can help you secure your software environment and maintain compliance with CMMC 2.0. Let us be your guide in staying ahead of these emerging risks.