Researchers have discovered a disturbingly simple method with which attackers can distribute malicious payloads through the PyPI package repository. The attacker only has to re-register a malicious package on PyPI with the same name as a legitimate package that was previously registered but is now removed. Then, the hacker just has to wait for organizations to download it. PyPI allows names to be reused once a package has been removed, so it is easy for attackers to disguise a malicious package as a legitimate one. This method is called the “Revival Hijack” and can be easily used by attackers to target large organizations. The researchers found that there are 120,000 removed packages from PyPI that could potentially be hijacked.