Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

While looking at a package.json from a public project from PayPal, Alex Birsan noticed that it held some references to private NPM packages used internally by PayPal. Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally […]

While looking at a package.json from a public project from PayPal, Alex Birsan noticed that it held some references to private NPM packages used internally by PayPal.

Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally by the company.

On seeing this, the researcher wondered, should a package by the same name exist in the public npm repository, in addition to a private NodeJS repository, which one would get priority?

As you might have guessed by now:

Should a dependency package used by an application exist in both a public open-source repository and your private build, the public package would get priority and be pulled instead — without needing any action from the developer.

OH. SH*T. ?

Using a preinstall script he then logged some info on his server, cleverly abusing DNS to bypass any firewalling.

Researcher hacks over 35 tech firms in novel supply chain attack →
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies →


Print Share Comment Cite Upload Translate
APA
Bramus! | Sciencx (2024-03-29T14:27:17+00:00) » Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. Retrieved from https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/.
MLA
" » Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies." Bramus! | Sciencx - Tuesday March 2, 2021, https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/
HARVARD
Bramus! | Sciencx Tuesday March 2, 2021 » Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies., viewed 2024-03-29T14:27:17+00:00,<https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/>
VANCOUVER
Bramus! | Sciencx - » Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. [Internet]. [Accessed 2024-03-29T14:27:17+00:00]. Available from: https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/
CHICAGO
" » Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies." Bramus! | Sciencx - Accessed 2024-03-29T14:27:17+00:00. https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/
IEEE
" » Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies." Bramus! | Sciencx [Online]. Available: https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/. [Accessed: 2024-03-29T14:27:17+00:00]
rf:citation
» Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | Bramus! | Sciencx | https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/ | 2024-03-29T14:27:17+00:00
https://github.com/addpipe/simple-recorderjs-demo