Alex Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Uber, .. simply by publishing public packages using the same name as the company's internal ones.
It's not a bug, it's a feature
#CYBER #SUPPLY #CHAIN #NPM #THREATS #WEAPONIZATION
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Suivre
Microsoft has published a white paper on Tuesday about a new type of attack technique called a "dependency confusion" or a "substitution attack" that can be used to poison the app-building process inside corporate environments.
Besides Yarn, npm, RubyGems, PyPI, Gradle, Maven, NuGet, other package managers are vulnerable.
