Researchers find over 22,000 removed PyPI packages at risk of revival hijack

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: Researchers find over 22,000 removed PyPI packages at risk of revival hijack. Also: GitHub comments are being abused to push password stealing malware masked as fixes.

This Week’s Top Story

Researchers find over 22,000 removed PyPI packages at risk of revival hijack

Researchers at JFrog are warning about a software supply chain attack technique targeting the Python Package Index (PyPI) in attempts to infiltrate downstream organizations. Researchers spotted a package in the wild, pingdomv3, that uses the technique. This kind of attack, dubbed a “Revival Hijack” could be used to hijack 22,000 other existing PyPI packages and result in “hundreds of thousands” of malicious package downloads. The thousands of susceptible packages have more than 100,000 downloads combined and have been active for six months.?

The pingdomv3 package spotted by JFrog researchers was discovered by RL researchers five months ago , and additional threat intelligence regarding the package was published by the Open Source Security Foundation (OpenSSF) two months ago.?

Revival hijacking describes an attack in which malicious actors?re-register packages that have been removed from the Python Package Index by the package’s original owner. Once the abandoned package names have been re-assigned to the malicious actors, they are free to update once-safe, legitimate packages on PyPI with malicious functionality. That leaves applications and developers that rely on those packages open to downloading the malicious contents of the revived packages.?

ReversingLabs researchers documented a similar incident in the wild back in April 2023 , underscoring that revival hijacking is not a new attack method. In that incident, RL researchers discovered a revived and hijacked PyPI package, termcolour, that was used to deliver a three-stage malicious downloader to victims. While this attack method and incident were described back in 2023 as “uncommon,” RL Software Threat Researcher Lucija Valenti? at the time warned that it might become more common once threat actors realize how to use it to their benefit:

“The lack of transparency on platforms like PyPI work to the advantage of bad actors by making it difficult for developers and development organizations to understand the full history (and) provenance of packages they are downloading and using.” – Lucija Valenti? ?

(The Hacker News )

This Week’s Headlines

GitHub comments abused to push password stealing malware masked as fixes

GitHub is being abused to distribute the Lumma Stealer malware as fake fixes posted in project comments. A contributor to the teloxide rust library noted on Reddit that they received five different comments in their GitHub issues that pretended to be fixes, but were instead pushing malware. BleepingComputer reviewed the incident further and found thousands of similar comments posted to a wide range of projects on GitHub, all offering fake fixes to other people's questions. Reverse engineer Nicholas Sherlock found over 29,000 comments on GitHub pushing the infostealer over a 3-day period. (Bleeping Computer )

Take acton now! ;-) GitHub Actions vulnerable to typosquatting

Researchers at Orca Security are warning of a new attack vector in which malicious actors exploit typos in GitHub Actions to deliver and run malicious code, compromise source code, or steal secrets. In a blog post Thursday , Orca highlighted proof of concept attacks in which the company created 14 organizations with names that are typos of popular GitHub actions. The organizations had names like circelci, actons, docker-action, google-github-actons and so on.

The company then forked the repositories so that when a developer made these typos, they would get the desired response instead of an error, but with code served from the phony account. Bad actors using such a model could easily make modifications and insert malicious code into legitimate projects, Orca said. Within two months of launching the project, Orca saw twelve public repositories referencing the typosquatted “actons” repo, demonstrating how easily developers can fall victim to typosquatting. After 3 months, GitHub flagged and suspended only one of the fake organizations (circelci). The other 13 organizations are still running, Orca wrote. (Orca Security )

Microsoft is training developers on the intricacies of threat intelligence

Microsoft is trying to fix how their software developers approach security, in part, by familiarizing them with threat intelligence, including the objectives and motivations of attackers who are targeting Microsoft’s systems. Corporate VP and Chief Cybersecurity Advisor at Microsoft Bret Arsenault told Cybersecurity Dive “We need to develop software differently.” As a part of this new initiative by Microsoft, the company’s Director of Threat Intelligence Strategy Sherrod DeGrippo trained a set of 100 software engineers on cyber threats relevant to Microsoft. DeGrippo noted: “I’m finding that these super smart software engineers are incredible at developing mass-scaled code and mass applications, operating systems, but these are concepts (threat intelligence) that they really don’t have in their day-to-day that are my entire life.” (Cybersecurity Dive )

New flaws in Microsoft macOS apps could allow hackers to gain unrestricted access

Researchers at Cisco Talos have discovered eight vulnerabilities in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework. Researchers found that an attacker could abuse these vulnerabilities to “send emails from the user account without the user noticing, record audio clips, take pictures, or record videos without any user interaction.” Microsoft MacOS applications impacted include Outlook, Teams, Word, Excel, PowerPoint, and OneNote. (The Hacker News )

Army to mandate SBOMs by February 2025

The U.S. Army has plans to introduce new regulations by February of next year that would require software bills of materials (SBOMs) for nearly all newly acquired or developed software that the Army uses. In a memo released by the Army on August 16, the service branch made it known that it would mandate the inclusion of an SBOM in most new software contracts. However, cloud service applications have been exempt so far from these regulations. The new SBOM mandate efforts are in response to Executive Order 14028 and subsequent directives such as the Office of Management and Budget’s M-22-18. (MeriTalk )

Explaining the OWASP API Security Top 10

Any company that employs APIs can tell you that they’re the glue that holds all things together, the hub that simplifies and scales digital growth. However, not all can tell you how to protect them – and that’s a problem. Thanks to the Open Web Application Security Project (OWASP) API Security Top 10 list, organizations employing APIs can refer to the most common and threatening cyber threats that their organization should learn how to prepare for. Read this Information Security Buzz article to learn how prevalent API use is, why OWASP’s list is essential, plus what the list includes. (Information Security Buzz )

Looking for more insights on software supply chain security? Head to the RL Blog .?

Resource Round-up

Webinar I Software Supply Chain Security for Dummies: Practical Tips to Improve Software Security Posture

September 11 at 11 am ET

Join the discussion on RL's new how-to book, Software Supply Chain Security for Dummies , where authors Paul F. Roberts and Charlie Jones will discuss the guide and give clear takeaways for any organization looking to better manage their software supply chain risks. [Register Here ]?

Blog | Secure by Demand: Going Beyond Questionnaires and SBOMs

Enterprise buyers need direct, verifiable evidence of software security. Here's why your organization needs to trust, but verify. [Read It Here ]

Webinar | Software Supply Chain Security 101

September 25 at 12 pm ET

RL technical experts Jasmine Noel and Joshua Knox will offer a crash course on the technical aspects of software supply chain compromises and demonstrate how to assess the risks posed by commercial software. Their technical insights and actionable recommendations will enable you to position your organization to handle this growing threat. [Register Here ]?

Looking for more great conversations to watch? See RL’s on-demand webinar library .?