Ad End 1 February 2024
Ad Ends 13 January 2025
Ad End 26 February 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
casino
swipe store
adv exp at 23 August 2024
Carding.pw carding forum
BidenCash Shop
Kfc CLub

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,738
Reaction score
922
Points
212
Awards
2
  • trusted user
  • Rich User
A researcher claims to have hacked into the internal systems of major companies including Apple and Microsoft using a novel supply chain attack.

Alex Biran created malicious node packages and uploaded them to the npm registry under unclaimed names. The node packages collected information through their preinstall script about the machines upon which they were installed.

Next, Biran came up with a way to get the packages to send information back to him.

"Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go," wrote Biran.

The data was hex-encoded and used as part of a DNS query, which reached the researcher's custom authoritative name server, either directly or through intermediate resolvers. Biran then found private package names inside JavaScript files.

"Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way," Biran wrote.

In the latter half of 2020, Biran scanned millions of domains belonging to targeted companies and extracted hundreds of JavaScript package names that hadn't been claimed on the npm registry. He uploaded his malicious code to the package-hosting services and achieved a success rate that he described as "simply astonishing."

"Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," said Biran.

"This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages."

The vast majority of affected companies employed over a thousand people.

“This is an incredibly serious industry-wide problem," Craig Young, principal security researcher at Tripwire, told Infosecurity Magazine.

"When software development firms allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves to both security and legal risks. In this case, it was a researcher with an innocuous ‘phone home’ payload, but it could have just as easily been an APT deploying a malware implant or a patent troll deploying a commercially licensed algorithm.”
 
Ad End 1 February 2024
Top