![]() ![]() “Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?” he asked. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies. Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. ![]() The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects. Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository - all of which exfiltrate sensitive information. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |