Ethical hacker breached defenses of 35 companies using ‘Dependency Confusion’ supply-chain hack and popular open-source software repositories

Hacking dependency confusion ethical hacker
Deviously simple dependency confusion attack compromised leading tech companies? Pic credit: Abhinav Thakur/PixaHive

A vulnerability, which ethical hacker Alex Birsan calls ‘dependency confusion’, has rendered defenses of top tech companies useless and powerless. Birsan demonstrated a novel supply-chain attack that breached the systems of more than 35 technology companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, and Uber.

Tech giants and leading internet companies had their internal systems breached as part of a ‘proof of concept’ attack. The attack relied on the fact that the majority of companies often pull in open-source software from public repositories.

An ethical hacker successfully ‘hacks’ tech companies using open-source tools injected with malicious code:

Security researcher Alex Birsan devised an ingenious and effective attack to breach the digital perimeters of leading tech companies. The attack primarily injects malicious code into common tools for installing dependencies in developer projects which typically use public depositories.

Needless to add, common and popular sites like GitHub are a hotbed for millions of small but effective open-source tools. Developers routinely tap into such depositories to grab the dependencies and use them within their projects.

The attack involved uploading malware to open source repositories including PyPI, npm, and RubyGems. The malware then quietly and automatically made its way downstream, into the target’s internal and sensitive applications.

The attack is concerning because it does not need any action by the victim. In other words, the laced packages made their way into secured networks with no active user intervention.

Traditional attacks need a weak point, which attackers typically exploit with carefully compiled social engineering attacks. In order to deliver the malicious code, attackers need victims to accept a similar-looking and sounding package.

Dependency Confusion attacks a wake-up call for all tech and internet companies:

The ethical hacker has indicated that he had prior arrangements with targeted organizations, who all agreed to be tested. Apparently, Birsan has received more than $130,000 in both bug bounties and pre-approved financial arrangements. Interestingly, PayPal, as well as Apple and Canada’s Shopify, each contributed $30,000.

The ethical hacker reveals that he merely exploited the exceptional trust developers put in a “simple command.” Developers routinely use “pip install package_name,” with programming languages such as Python, Node, Ruby, and others.

This command installs dependencies, or blocks of code shared between projects. However, these installers are usually tied to public code repositories. Needless to add, these repositories are open to all. In other words, anyone can freely upload code packages for others to use.

The ethical hacker attempted to answer a simple question: “Can this blind trust be exploited by malicious actors?”. And he received a deeply concerning answer.

Once the laced packages on publicly modifiable repositories found their way inside secure networks, it was relatively easy to exfiltrate sensitive information.

Secure networks heavily guard entry points. But data usually moves with minimal oversight on its way out. Using DNS routing for data exfiltration, Birsan was able to get catalog and obtain data from inside well-protected corporate networks.

It is concerning to note that the ethical hacker found multiple private packages on public repositories. Needless to add, a determined malicious code writer could easily conduct a similar search and cast a very wide net.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x