- This Windows mini PC gives the Mac Mini M4 serious competition - and it's $200 off
- 5 warning signs that your phone's been hacked - and how to fight back
- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
Researcher Hacks Apple and Microsoft
A researcher claims to have hacked into the internal systems of major companies including Apple and Microsoft using a novel supply chain attack.
Alex Biran created malicious node packages and uploaded them to the npm registry under unclaimed names. The node packages collected information through their preinstall script about the machines upon which they were installed.
Next, Biran came up with a way to get the packages to send information back to him.
“Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go,” wrote Biran.
The data was hex-encoded and used as part of a DNS query, which reached the researcher’s custom authoritative name server, either directly or through intermediate resolvers. Biran then found private package names inside JavaScript files.
“Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way,” Biran wrote.
In the latter half of 2020, Biran scanned millions of domains belonging to targeted companies and extracted hundreds of JavaScript package names that hadn’t been claimed on the npm registry. He uploaded his malicious code to the package-hosting services and achieved a success rate that he described as “simply astonishing.”
“Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” said Biran.
“This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages.”
The vast majority of affected companies employed over a thousand people.
“This is an incredibly serious industry-wide problem,” Craig Young, principal security researcher at Tripwire, told Infosecurity Magazine.
“When software development firms allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves to both security and legal risks. In this case, it was a researcher with an innocuous ‘phone home’ payload, but it could have just as easily been an APT deploying a malware implant or a patent troll deploying a commercially licensed algorithm.”
