Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

While looking at a package.json from a public project from PayPal, Alex Birsan noticed that it held some references to private NPM packages used internally by PayPal.

Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally by the company.

On seeing this, the researcher wondered, should a package by the same name exist in the public npm repository, in addition to a private NodeJS repository, which one would get priority?

And of course, as you can guess:

Should a dependency package used by an application exist in both a public open-source repository and your private build, the public package would get priority and be pulled instead — without needing any action from the developer.

OH. SH*T. 😳

Using a preinstall script he then logged some info on his server, cleverly abusing DNS to bypass any firewalling.

Researcher hacks over 35 tech firms in novel supply chain attack →
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies →

Published by Bramus!

Bramus is a Freelance Web Developer from Belgium. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.