Tech Giants Targeted with over 5000 Dependency Confusion Copycats

Dependency Confusion - A trending threat to cybersecurity

March 12, 2021, 5:18 p.m.

TL;DR

Sonatype recently reported that Amazon, Zillow, Slack, and Lyft (among others) recently were targeted by malicious dependency confusion copycats; the same codes have been identified inside the npm public repository housing sensitive pieces of information.

A software vendor has deemed this catastrophe a result of the Python Package Installer's default process, which leaves the software development process exposed to dependency confusion attacks.

After building, companies tend to mix private with public libraries downloaded for public portals like npm, PyPi, etc

Key Facts

1
The unconventional decision by the security researcher Alex Birsan to put private repository material inside the npm public repository played a major role.
2
The PyPi packages seemed free of malicious codes - a bold and shocking wake-up call to the software development organization.
3
Other companies like Qentinel found unidentified libraries in their space - this means 'dependency confusion' is a bigger threat than most think.
4
The Python Package Index is fundamentally insecure.

Details

Dependency manifest found inside the Microsoft Teams’ desktop application. Source: Contrast Security

Microsoft hired researchers to attack itself over growing concerns of the grueling growth of these attacks. Most giants' attacks were horrendous, but it remains unknown if they succeeded in executing malware inside their networks. PyPi, npm, and RubyGems open source code repositories, however, have been hit with over 5000 of these packages in their servers.

These attacks have been all over the place since Birsan published his discoveries on them. After being hit by a related attack printed from Birsan's unauthorized and unconventional test in its servers, Microsoft recently fell to another attack by hired researchers from Contrast.

At Contrast, the Director of the security team, Matt Austin, mentioned starting by looking into dependencies in the Microsoft Team applications. He mentioned a JavaScript package, "Optional Dependencies," he then made a Microsoft team's development machine download and ran a package he uploaded on npm. The package also employed the name of a module listed as an optional dependency.

History is familiar with these attacks, but this one has a slightly different but inconspicuous paradigm. Some names didn't exist on the npm registry at the time of development.

In recent times, many developers at small or scaly enterprises use package installers to download and import libraries, assemble them to create an app offered to customers or utilized them internally at the company.

But some of these apps contain sensitive codes, depending on their nature. After building, companies tend to mix private with public libraries downloaded for public portals like npm, PyPi, etc.

It's been discovered that if vigilante actors get their hands on private libraries' names, they could register these names on public libraries that contain dangerous codes and eventually upload them on public portals.

Taking this path, researchers reported that they successfully loaded their innocuous code inside the repositories employed by 35 major tech firms, names including major firms like Apple, Microsoft, Netflix, Shopify, Uber, and of course, 30 more.

The private repositories that have been spotlighted under the radar are npm, PyPi, and RubyGems, but researchers have determined that JFrog and NuGet's package managers are also exposed.

Microsoft has suggested companies should analyze their internal package reports. Some companies have thrust this issue aside, but Microsoft seems to have a clearer grasp of the issue's understanding.

npm has clarified their policy on dependency confusion PoC packages and has now deleted at least 100+ of them.

This is no longer a vulnerability you can reliably test for externally. Bug bounties won't help. Either find it internally and fix it or discover it after getting pwned pic.twitter.com/wlbqDO8T9Q
— Alex Birsan (@alxbrsn) February 26, 2021