Malicious NPM packages target Amazon, Slack with new dependency attacks
By
12:14 AM
Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new Dependency Confusion vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers.
Last month, BleepingComputer reported that security researcher Alex Birsan earned bug bounties from 35 companies by utilizing a new flaw in open-source development tools.
This flaw works by attackers creating packages utilizing the same names as a company s internal repositories or components. When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company s internal packages when building the application.