New type of supply-chain attack hit Apple, Microsoft and 33 other companies

by
Dan Goodin
from Ars Technica - All content on (#5E80H)
software-code-800x534.jpg

Enlarge (credit: Getty Images)

Last week, a researcher demonstrated a new supply-chain attack that executed counterfeit code on networks belonging to some of the biggest companies on the planet, Apple, Microsoft, and Tesla included. Now, fellow researchers are peppering the Internet with copycat packages, with more than 150 of them detected so far.

The technique was unveiled last Tuesday by security researcher Alex Birsan. His so-called dependency confusion or namespace confusion attack starts by placing malicious code in an official public repository such as NPM, PyPI, or RubyGems. By giving the submissions the same package name as dependencies used by companies such as Apple, Microsoft, Tesla, and 33 other companies, Birsan was able to get these companies to automatically download and install the counterfeit code.

Automatic pwnage

Dependencies are public code libraries or packages that developers use to add common types of functionality to the software they write. By leveraging the work of thousands of their open source peers, developers are spared the hassle and expense of creating the code themselves. The developer's code automatically downloads and incorporates the dependency, or any update to it, either from the developer's local computer or from a public repository.

Read 14 remaining paragraphs | Comments

index?i=h0U-6S8CztM:dKVoWC5GgS8:V_sGLiPB index?i=h0U-6S8CztM:dKVoWC5GgS8:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments