Security researchers at JFrog report that the PyPi package repository is vulnerable to malware uploaded with the same name as a deleted package, causing automatic infection if the deleted package is trusted and downloaded by continuous integration tools such as Jenkins.
In a paper released today, JFrog researchers Andrey Polkovnychenko and Brian Moussalli, explain that when a developer removes a project from PyPi, the main repository used by Python developers, the package names used by that project become immediately available to other PyPi users. If that package name is then reused by an attacker, a developer may download the malicious version without realising it is no longer safe.
This is a potentially more powerful technique than typosquatting – uploading a package with a similar name as one that is popular and trusted – since there is no indication that a previously trusted package is now under new ownership. The researchers tested this by trying the trick themselves, creating a package, deleting it, and then replacing it with a new one of the same name but from a different account, and with a higher version number.
“When we ran pip to show any outdated packages, it happily showed our imposter package as ‘just a new version’ (4.0.0) of the original package – same name but vastly different code,” the researchers report.
According to the paper, around 300 packages are removed from PyPi every month. The researchers identified more than 22,000 packages with hijack potential, even after filtering for those with over 100K downloads or previously active for more than six months.
The team also reserved a small subset of the more popular vulnerable package names, using empty packages to prevent hijack. In three months, these empty packages were downloaded nearly 200,000 times, indicating that “there are outdated jobs and scripts out there which are still looking for the deleted packages, or users that manually downloaded these packages due to typosquatting,” the paper states.
The researchers also identified at least one case of this attack being used, with a package called pingdomv3. The Pingdom API is a monitoring service now run by SolarWinds, but pingdomv3 was an independent project last updated in 2020, before the SolarWinds acquisition. On March 30th 2024 the original author of pindomv3 removed the package from PyPi. The package name was acquired by a new developer shortly after, and a malicious version was uploaded on April 12th. It was reported to PyPi and removed.
The payload of the malicious pingdomv3 is unknown in detail, but its method was to download a script and run it using the Python exec command, only if the package was running in a Jenkins environment.
Although this research was carried out in May and reported to PyPi, the JFrog team state that “we’ve yet to receive a response from the PyPi team.” The recommendation therefore is not especially helpful: “PyPI users should stay vigilant and make sure their CI/CD machines are not trying to install packages that were already removed from PyPi.”
Mike Fieldler, safety and security engineer for PyPi, posted last month about recent actions taken to improve security. These include compulsory two-factor authentication for all user accounts, a security audit, an improved malware reporting process with 90 percent of all issues resolved in under 24 hours, a new quarantine option for suspicious packages under investigation, and improvements to the PyPi code, an application called Warehouse.