A security researcher recently discovered a vulnerability that let him access the internal system of 35 companies – which includes tech giants like Microsoft, Apple, Netflix, Tesla, Uber, and PayPal – in a novel software supply chain attack. For the episode, the researcher uploaded malware to open source repositories, including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the companies’ internal applications. The particular supply chain attack leverages a unique design flaw of the open-source ecosystems – called dependency confusion – and it needs no action by the victim, who automatically receive the malicious packages.

The report on the researcher’s vulnerability, Alex Birsan, was first reported by Bleeping Computer.

Birsan made use of DNS to exfiltrate the data to bypass detection.

Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as its internal ones.

“I believe dependency confusion is quite different from typosquatting or brandjacking, as it does not necessarily require any manual input from the victim…Rather, vulnerabilities or design flaws in automated build or installation tools may cause public dependencies to be mistaken for internal dependencies with the same name,” Birsan said.

The researcher earned over $130,000 in bug bounties for his ethical research. Microsoft awarded him their highest bug bounty of $40,000. PayPal has disclosed that it will be awarding Birsan a $30,000 bounty amount. Another $30,000 reward came from Apple.

Birsan added that Shopify awarded a $30,000 bug bounty for finding the issue.

Tesla and other companies also rewarded him with their specific bounty programs.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Unauthorized Content Copy Is Not Allowed
Scroll to Top
%d bloggers like this: