image
Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information. The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects. Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies. “Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?” he asked. And the answer was yes. Dependency Confusion Gains Swarms of Copycat Fans In Birsan’s case, he tested this “dependency confusion” using benign PoC code blocks. These were uploaded to public repositories – and he simply sat back and waited to see if they would be imported. His hunch proved correct, demonstrating how outside code can be imported and propagated through a targeted company’s internal applications and systems, with relative ease — including at Apple, Microsoft, Netflix, PayPal, Shopify, Tesla and Uber. In all, he received more than $130,000 in bug bounties and pre-approved financial arrangements with targeted…

Source