Another Simple Supply Chain Attack

Article on BleepingComputer and TechXplore

A security researcher, named Alex Birsan, managed to compromise over 35 companies by using a simple supply chain attack based on open-source repos.

Birsan was able to find names of internal packages and their dependencies for various companies and create a fake version of the dependencies in public repos (such as npm and PYpi). When it came time to build the packages, the servers would search both public and private repos for the dependencies, but pull from the public repos first as it would think that it was a newer version.

According to Birsan: “vulnerabilities or design flaws in automated build or installation tools may cause public dependencies to be mistaken for internal dependencies with the exact same name” resulting in a supply chain attack taking advantage of dependency confusion.

Microsoft published a whitepaper on this and some mitigation strategies such as referencing one private feed and not multiple, protecting packages using controlled scopes, and using client-side verification features such as specific version numbers for packages and dependencies.

Overall, it seemed like a pretty simple supply chain attack and it highlighted the dangers of utilizing open-source libraries and certain dependency managers.