Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations

Today, news broke that a security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.

By taking advantage of a concept known as dependency confusion or namespace confusion, security researcher and ethical hacker Alex Birsan pushed his Proof-of-Concept (PoC) counterfeit packages downstream in an automated fashion to the development environments of Microsoft, Uber, Tesla, Yelp and Shopify, among other tech firms.

This attack is of particular significance as unlike traditional typosquatting or brandjacking supply-chain attacks that Sonatype has talked about before, the targeted companies automatically received Birsan’s malicious packages without them making any spelling mistakes, or any social engineering involved. 

For demonstrating the seriousness of this type of software supply chain attacks, Birsan has been awarded upwards of $130,000 in bug bounties. 

Sponsorships Available

Sponsorships Available

Sponsorships Available

To date, Birsan has published over 200 packages, each with 100-1000 versions, to multiple open-source ecosystems including npm, PyPI, RubyGems, which is how the researcher had an astonishingly high success rate in ethically hacking big organizations.

When Birsan’s research efforts began last year, our automated malware detection systems, part of Nexus Intelligence, had simultaneously started flagging these packages as malware. At the time, the researcher told Sonatype that this was all part of an ongoing research work and that a coordinated disclosure was set to take place in early 2021.

Consequently, since then Sonatype Security Research team has been repeatedly adding these packages to our data under multiple vulnerability identifiers (sonatype-2020-XXXX IDs), keeping our customers protected from the get go.

Sonatype also observed these 200+ brandjacking packages were published under the researcher’s real name, who appeared to have a credible profile, and contained explicit disclaimers in multiple places that these were created for security research purposes (both (Read more...)