Security researcher Alex Birsan found out that public software packages by private companies often also included links to dependencies to private packages. For example in a package.json file, with npm node.js dependecies from paypal, there was a list of dependencies, that did not exist as public packages.
He concluded that those packages must be paypal internal packages. Then he started crafting public packages with the same name containing malware.
And lo! the package builds at paypal mistakingly pulled in the public malware package.
He continued using the same technique on other comanies and other package distribution systems (Python and Ruby), infecting companies like Apple, Uber, Netflix, Microsoft and Tesla. He received about $150.000 in bug bounties.
The SonaType malware scanner detected the malware on the public server and added them to their malware detectors to protect their customers, but let Birsan continue his research for a while.
The attack is very similar to malware public packages that have names that are very similar to popular public packages, hoping to be picked up by accident.
Microsoft issued a paper with recommendations to mitigate the risks of working with public packages.
Posts
