A researcher claims to have hacked into the internal systems of major companies including Apple and Microsoft using a novel supply chain attack.
Alex Biran created malicious node packages and uploaded them to the npm registry under unclaimed names. The node packages collected information through their preinstall script about the machines upon which they were installed.
Next, Biran came up with a way to get the packages to send information back to him.
"Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go," wrote Biran.
The data was hex-encoded and used as part of a DNS query, which reached the researcher's custom authoritative name server, either directly or through intermediate resolvers. Biran then found private package names inside JavaScript files.
"Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way," Biran wrote.
In the latter half of 2020, Biran scanned millions of domains belonging to targeted companies and extracted hundreds of JavaScript package names that hadn't been claimed on the npm registry. He uploaded his malicious code to the package-hosting services and achieved a success rate that he described as "simply astonishing."
"Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," said Biran.
"This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages."
The vast majority of affected companies employed over a thousand people.
“This is an incredibly serious industry-wide problem," Craig Young, principal security researcher at Tripwire, told Infosecurity Magazine.
"When software development firms allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves to both security and legal risks. In this case, it was a researcher with an innocuous ‘phone home’ payload, but it could have just as easily been an APT deploying a malware implant or a patent troll deploying a commercially licensed algorithm.”
Alex Biran created malicious node packages and uploaded them to the npm registry under unclaimed names. The node packages collected information through their preinstall script about the machines upon which they were installed.
Next, Biran came up with a way to get the packages to send information back to him.
"Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go," wrote Biran.
The data was hex-encoded and used as part of a DNS query, which reached the researcher's custom authoritative name server, either directly or through intermediate resolvers. Biran then found private package names inside JavaScript files.
"Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way," Biran wrote.
In the latter half of 2020, Biran scanned millions of domains belonging to targeted companies and extracted hundreds of JavaScript package names that hadn't been claimed on the npm registry. He uploaded his malicious code to the package-hosting services and achieved a success rate that he described as "simply astonishing."
"Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," said Biran.
"This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages."
The vast majority of affected companies employed over a thousand people.
“This is an incredibly serious industry-wide problem," Craig Young, principal security researcher at Tripwire, told Infosecurity Magazine.
"When software development firms allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves to both security and legal risks. In this case, it was a researcher with an innocuous ‘phone home’ payload, but it could have just as easily been an APT deploying a malware implant or a patent troll deploying a commercially licensed algorithm.”
