Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Wow! Every once in a while an exploit methodology comes along and makes me think “why didn’t I think of that?” This is one of those…:

Image for post

With the logic dictating which package would be sourced from where being unclear here, a few questions arose:

  • What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?
  • Will developers, or even automated systems, start running the code inside the libraries?
  • If this works, can we get a bug bounty out of it?
  • Would this attack work against other companies too?

Without further ado, I started working on a plan to answer these questions.


Original Article