Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow
According to new research by Alex Birsan, attackers have been weaponizing code dependency confusion to target high-profile companies such as Lyft, Slack, Zillow, and Amazon. Researchers have spotted the malicious packages targeting internal applications and seeking to exfiltrate sensitive information via the npm public code repository. Birsan recently released a proof-of-concept to detail how the attack is conducted and what techniques are used.
Birsan tested his dependency confusion using benign PoC code blocks, then uploaded them to public repositories. Birsan then waited to see if they would be imported. When they were, Birsan’s theory was proven to be accurate: outside code can be imported and propagated through a targeted company’s internal applications and systems. This applies to companies such as Apple, Microsoft, PayPal, Tesla, Uber, Netflix, and Shopify.