Suivre
Alex Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Uber, .. simply by publishing public packages using the same name as the company's internal ones.
It's not a bug, it's a feature
#CYBER #SUPPLY #CHAIN #NPM #THREATS #WEAPONIZATION
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Microsoft has published a white paper on Tuesday about a new type of attack technique called a "dependency confusion" or a "substitution attack" that can be used to poison the app-building process inside corporate environments.
Besides Yarn, npm, RubyGems, PyPI, Gradle, Maven, NuGet, other package managers are vulnerable.
đ (PDF) https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf