Sonatype, an enterprise software company, has identified new malicious dependency confusion packages in the npm ecosystem. These malicious packages weaponize the dependency confusion exploit, a recently created proof-of-concept code by security researcher Alex Birsan.
What is happening?
Researchers have found new malicious packages named after the repositories, namespaces, and components used by well-known tech firms such as Amazon, Lyft, Zillow, and Slack.
- The disclosure of dependency confusion exploits led copycat researchers and bounty hunters to publish 275+ identical packages to the npm repo for bug bounties. In a few days, the number jumped to over 700.
- Most of the copycat packages spotted by Sonatype exploited the dependency confusion to unethically exfiltrate information, just to get proof for a bug bounty program.
- There has been no prior intimation or disclaimer to suggest that the intrusion attempt was part of genuine bounty hunting, and thus, distinguishing between them was challenging.
How it works
- The researcher or bounty hunters make a DNS request from a breached machine to their own server, along with the collection of computer information (hostname and IP address).
- Several copycat packages exfiltrate the user’s .bash_history file and /etc/shadow, or sometimes reverse shell. With all this, the attackers may obtain login credentials.
One of the biggest dangers of these malicious packages is automation - where code imports can be performed automatically.
The danger with automation
- Whenever a new version of a new malicious package becomes available, a developers’ project fetches it from a repository automatically, which may lead to upgrading to malicious package installation.
- Furthermore, copycat packages are usually uploaded to public repositories, opening the gates for entry by malicious attackers.
As of now, most of the malicious package components have differences in their spellings or sometimes published under a distinct namespace, making them slightly easy to identify. Though it isn’t known whether adversaries targeted anyone using this tactic or not, experts recommend staying vigilant and keep your security teams, developers, and users abreast of such developments.