Ethical hacker Alex Birsan
[Links nur für registrierte Nutzer] to inject malicious dependency packages into commonly used open-source developer tools.
The exploit method affects several programming languages depending on the package manager to install dependencies into projects using public repositories.
Supply chain attack affects 35 companiesBirsan’s hacking method, called dependency confusion, allowed him to exploit 35 companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber in a supply chain attack.
Injecting malicious code into internal codebases allows an attacker to propagate through a company’s internal applications and systems.
“Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan wrote.
The cybersecurity researcher noted that the compromise method was surprisingly successful on three tested programming languages (Python, Java, and Ruby).