Wow! Every once in a while an exploit methodology comes along and makes me think “why didn’t I think of that?” This is one of those…:
While attempting to hack PayPal with me during the summer of 2020, Justin Gardner (@Rhynorater) shared an interesting bit of Node.js source code found on GitHub.
The code was meant for internal PayPal use, and, in its
package.jsonfile, appeared to contain a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal. These names did not exist on the public npm registry at the time.