SBN

PyPI and npm Flooded with over 5,000 Dependency Confusion Copycats

This week, a vigilante actor flooded PyPI and npm repositories with nearly 5,000 dependency confusion packages.

Just a day has elapsed since Sonatype discovered and reported on malicious dependency confusion packages that targeted Amazon, Zillow, Lyft, and Slack, and we are now seeing these packages appear in PyPI and npm claiming to “make everyone pay attention to software supply chain attacks, because the risks are too great.”

1,500+ npm identical packages spotted

Yesterday, The Register had reported on PyPI admins taking down 3,653 Python packages that contained the “RemindSupplyChainRisks” text and made benign GET requests to a Tokyo-based IP, 101.32.99.28.

Now, Sonatype has come across information that the same actor flooded npm with identical packages:

1,500+ npm identical packages spotted

According to our analysis, these 1,500+ npm packages are all posted by the user remindsupplychainrisks and most contain the disclaimer, “RemindSupplyChainRisks: the purpose is to make everyone pay attention to software supply chain attacks, because the risks are too great.”

Moreover, these npm copycats also make a GET request to the same IP 101.32.99.28 as the PyPI packages did, indicating the same actor is behind flooding both PyPI and npm repos.

All of these packages have minimal code similar to other proof-of-concept dependency hijacking copycats. A package.json manifest runs index.js file as soon as the package is installed.

For example, the “activemq” dependency confusion package named after a popular component is one of the 1,500+ npms squatted by remindsupplychainrisks with this exact structure. The index.js in “activemq” makes a simple GET request to the aforementioned IP address.

Packages contain minimal proof-of-concept code
Packages contain minimal proof-of-concept code

Although Sonatype has thus far not observed any of these packages exhibiting malicious activity, we are yet to analyze all of the 1,500+ packages, and advise users to be (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/pypi-and-npm-flooded-with-over-5000-dependency-confusion-copycats