Python security: PyPI hijack exposes 22K+ packages to takeover attacks
57 views
Skip to first unread message
Georgi Guninski
Sep 9, 2024, 5:43:34 AM9/9/24
to sage-...@googlegroups.com
https://www.theregister.com/2024/09/09/predator_spyware_trump_crypto/
Mon 9 Sep 2024 // 02:00 UTC
Pasting from the above:
PyPI hijack exposes 22K+ packages to takeover attacks
Security researchers monitoring open source packages have spotted
nasty folk waiting for a package to be deleted and re-creating the
repository with a malicious version.
Dubbed "revival hijack" by researchers at JFrog, the tactic involves
abusing the Python Package Index's (PyPI) package registration system.
"This attack technique involves hijacking PyPI software packages by
manipulating the option to re-register them once they're removed from
PyPI's index by the original owner," the JFroggers wrote.
The DevOps and security firm estimates there are around 22,000
packages in PyPI vulnerable to a revive hijack attack, and the
researchers noted they've already spotted the technique being used in
the wild to infect the pingdomv3 package.
Mon 9 Sep 2024 // 02:00 UTC
Pasting from the above:
PyPI hijack exposes 22K+ packages to takeover attacks
Security researchers monitoring open source packages have spotted
nasty folk waiting for a package to be deleted and re-creating the
repository with a malicious version.
Dubbed "revival hijack" by researchers at JFrog, the tactic involves
abusing the Python Package Index's (PyPI) package registration system.
"This attack technique involves hijacking PyPI software packages by
manipulating the option to re-register them once they're removed from
PyPI's index by the original owner," the JFroggers wrote.
The DevOps and security firm estimates there are around 22,000
packages in PyPI vulnerable to a revive hijack attack, and the
researchers noted they've already spotted the technique being used in
the wild to infect the pingdomv3 package.
Michael Orlitzky
Sep 9, 2024, 6:22:27 AM9/9/24
to sage-...@googlegroups.com
On 2024-09-09 12:43:12, Georgi Guninski wrote:
>
> The DevOps and security firm estimates there are around 22,000
> packages in PyPI vulnerable to a revive hijack attack, and the
> researchers noted they've already spotted the technique being used in
> the wild to infect the pingdomv3 package.
Solved 30 years ago. Pip is not a package manager, only a fool would
>
> The DevOps and security firm estimates there are around 22,000
> packages in PyPI vulnerable to a revive hijack attack, and the
> researchers noted they've already spotted the technique being used in
> the wild to infect the pingdomv3 package.
install anything from pypi, npm, crates, etc, etc. Use only distro
packages. Downloading executables from strangers cannot be made safe.
Reply all
Reply to author
Forward
0 new messages