Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: (OT) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

by parv (Vicar)
on Mar 07, 2021 at 07:33 UTC ( #11129246=note: print w/replies, xml ) Need Help??


in reply to (OT) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Actual attack this time: A new type of supply-chain attack with serious consequences is flourishing: New dependency confusion attacks take aim at Microsoft, Amazon, Slack, Lyft, and Zillow by Dan G (Mar 6, 2021) ...

The goal of these attacks is to execute unauthorized code inside a targetís internal software build system. The technique works by uploading malicious packages to public code repositories and giving them a name thatís identical to a package stored in the target developerís internal repository.

Developersí software management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. Alex Birsan [...] dubbed the new type of supply chain attack dependency confusion or namespace confusion because it relies of software dependencies with misleading names.

  • Comment on Re: (OT) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11129246]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (2)
As of 2022-12-03 23:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?