CyberNews Briefs

Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

According to new research by Alex Birsan, attackers have been weaponizing code dependency confusion to target high-profile companies such as Lyft, Slack, Zillow, and Amazon. Researchers have spotted the malicious packages targeting internal applications and seeking to exfiltrate sensitive information via the npm public code repository. Birsan recently released a proof-of-concept to detail how the attack is conducted and what techniques are used.

Birsan tested his dependency confusion using benign PoC code blocks, then uploaded them to public repositories. Birsan then waited to see if they would be imported. When they were, Birsan’s theory was proven to be accurate: outside code can be imported and propagated through a targeted company’s internal applications and systems. This applies to companies such as Apple, Microsoft, PayPal, Tesla, Uber, Netflix, and Shopify.

Read More: Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.