Backdoor in public repository used new form of attack to target big firms

by
Dan Goodin
from Ars Technica - All content on (#5Z4P5)
skull-ones-zeros-800x636.jpeg

Enlarge (credit: Getty Images)

A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients' resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.

Dependency confusion is a new form of supply-chain attack that came to the forefront in March 2021, when a researcher demonstrated he could use it to execute unauthorized code of his choice on networks belonging to Apple, Microsoft, and 33 other companies. The researcher, Alex Birsan, received $130,000 in bug bounties and credit for developing the new attack form.

A few weeks later, a different researcher uncovered evidence that showed that Amazon, Slack, Lyft, Zillow, and other companies had been targeted in attacks that used the same technique. The release of more than 200 malicious packages into the wild indicated the attack Birsan devised appealed to real-world threat actors.

Read 14 remaining paragraphs | Comments

index?i=sX8jzeEET6M:l1XUq9yGh8w:V_sGLiPB index?i=sX8jzeEET6M:l1XUq9yGh8w:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments