“Delivery“ Malicious NPM Packages Target Amazon and Slack with Dependency Attacks

Threat actors are targeting companies to include Zillo, Amazon and Slack’s NodeJS applications by using a new vulnerability known as “Dependency Confusion”. By utilising this vulnerability, attacks can steal Unix based system password files and open reverse shells back to an attacker.

The attacker creates packages utilising the same names as a company’s internal component or repositories. When these are hosted on public repositories such as NPMs and RubyGems, dependency managers use the packages on the public repository rather than the internal packages.

Thanks to a logical (dependency confusion), the attacker can then inject malicious payloads into the internal application in a supply chain attack.

The impact

A successful dependency confusion attack results in an attacker being able to inject their malicious payloads into an internal application and receive a reverse shell, from which they can execute commands remotely.

The remediation

This issue is hard to mitigate. However, Microsoft’s whitepaper provides several recommendations. A summary is included below. Note that number 1 is the most recommended action and 3 is the least.

1. Make use of a single dependency rather than multiple, package managers should only pull packages from a singular repository that is trusted and preferably under direct control.
2. Make use of “scopes” where packages can be assigned a prefix that is unique to the controlling organisation. This is useful for internal packages and makes sure that package lists always use the name scope set.
3. Use client-side validation to reduce the probability of accidentally upgrading to a malicious version.

Source: Bleeping Computer