Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information. The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects. Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies. “Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?” he asked. And the answer was yes. Dependency Confusion Gains Swarms of Copycat Fans In Birsan’s case, he tested this “dependency confusion” using benign PoC code blocks. These were uploaded to public repositories – and he simply sat back and waited to see if they would be imported. His hunch proved correct, demonstrating how outside code can be imported and propagated through a targeted company’s internal applications and systems, with relative ease — including at Apple, Microsoft, Netflix, PayPal, Shopify, Tesla and Uber. In all, he received more than $130,000 in bug bounties and pre-approved financial arrangements with targeted…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2021-03-03 14:12:002021-03-03 14:12:00Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org