Attackers have weaponized code dependency confusion to target internal apps at tech giants.

Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.

The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.

Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies.

, Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

“Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?” he asked. And the answer was yes.

Dependency Confusion Gains Swarms of Copycat Fans

In Birsan’s case, he tested this “dependency confusion” using benign PoC code blocks. These were uploaded to public repositories – and he simply sat back and waited to see if they would be imported. His hunch proved correct, demonstrating how outside code can be imported and propagated through a targeted company’s internal applications and systems, with relative ease — including at Apple, Microsoft, Netflix, PayPal, Shopify, Tesla and Uber.

In all, he received more than $130,000 in bug bounties and pre-approved financial arrangements with targeted organizations from the experiment, who all had agreed to be tested. This has spawned legions of copycat bounty hunters looking to reap a payday – there were 275+ such packages uploaded to the npm repository within 48 hours of Birsan’s research being published, according to a Sonatype analysis. The number has now jumped to more than 700, Sonatype said on Tuesday, with malicious actors wading into the mix.

“An ethical researcher will typically post a package under the same name as the private dependency to a public repository like npm,” Sonatype researcher Ax Sharma explained to Threatpost in an interview. “Except, their package would contain enough minimal PoC code to demonstrate the attack to the vendor and the bug-bounty program. The ethical research packages seen by Sonatype also had disclaimers in place indicating these were a part of ethical security research, which gives some reassurance.”

Dependency Confusion Becomes Malicious

Unfortunately, Sonatype also identified several malicious packages, showing that the technique is being weaponized.

“Some of the dependency-confusion copycat packages take what may be deemed ‘ethical research’ a step further, by engaging in outright malicious activities,” Sharma explained.

Several of the copycat packages Sonatype identified exfiltrate, for example, the user’s .bash_history files and /etc/shadow files.

The .bash_history file contains a list of commands previously executed by a Unix-based OS user at the terminal. Unless periodically cleared, this file can contain the usernames, passwords and other sensitive data.

The /etc/shadow file meanwhile maintains hashed password data of user accounts on a system. Although the file is typically restricted to “super user” accounts, a malicious actor could obtain the file should the infected machine be running npm with elevated privileges.

“These typically contain highly sensitive information that should remain unseen,” Sharma explained. “Some of these packages also established a reverse shell to their author’s servers, and had no obvious disclaimers or indications in place to clarify if this was part of ethical research, or a bug-bounty program.”

Easy, Automatic Compromise

Exacerbating the danger from these packages is the fact that these types of code imports are done automatically – when a new version becomes available, a developer project will automatically fetch it from a repository.

“What makes this trend even more problematic is that dependency confusion — because of its very nature — needs no action on the victim’s part,” Sharma explained. “Considering these malicious packages could share names with internal dependencies being used by leading organizations, they can be pulled almost instantaneously into the organizations’ builds.”

Unfortunately, it’s also fairly easy to identify what those internal dependencies are, even if they’re technically private.

“What ethical researchers typically do is monitor an organization’s public GitHub repository or CDN for code,” Sharma said. “This code may reveal the names of their internal dependencies (e.g. in the manifest files), not otherwise available on public repositories like npm, RubyGems or GitHub. At least, that is how Alex Birsan did it, but there remains room to be creative.”

And further, because the copycat packages are uploaded to public repositories, there’s little barrier to entry for malicious attackers. This is the same problem that’s often found in software supply-chain attacks involving typosquatting and brandjacking of public packages.

“Anybody — whether ethical researchers or malicious actors — can exploit the dependency confusion issue,” Sharma said. “What constitutes ‘ethical’ or not is largely determined by the actor’s intent.”

Amazon, Lyft, Slack and Zillow Copycat Packages

Researchers uncovered malicious packages targeting a variety of companies, but four aimed at Amazon, Lyft, Slack and Zillow stood out.

The npm webpage for “amzn” offers two identical versions of a malicious package, each of which contains just two files: a manifest called package.json, and the functional run.js file. The “amzn” package that has names analogous to Amazon’s GitHub repository and open source packages, according to researchers.

“Inside run.js is where we see the contents of the /etc/shadow file being accessed and ultimately exfiltrated to the package’s author to domain the comevil[.]fun,” according to the analysis. “The code also has the author opening a reverse shell to their server which would spawn as soon as the `amzn` package infiltrates the vulnerable build.”

As for Zillow, the package “zg-rentals” was also posted to npm by the same author, and is identical in structure and functionality to the “amzn” package, researchers said. Neither offers any indication or disclaimer that they could be linked to an ethical research effort, according to the Sonatype analysis.

Meanwhile, the malicious “serverless-slack-app” package also has no clear-cut sign that it’s linked to an ethical research or a bug-bounty program. It’s named after a legitimate package made by an Atlassian developer. It has both preinstall and postinstall scripts launched by the manifest file, according to Sonatype.

“While the index.js script spun up at the preinstall stage is an identical replica of that in Birsan’s PoC research packages, the postinstall script is particularly interesting,” according to the post. “At the postinstall stage, another script hosted on GitHub is run that sends the user’s .bash_history file to the author behind serverless-slack-app.”

The same author published a near-identical Lyft package, called lyft-dataset-sdk, which shares a name with a Python-based package used by Lyft.

“I was starting to wonder when we were going to see a malicious actor take advantage of the current situation,” Sonatype security researcher Juan Aguirre said, in the posting. “Finally, we’ve spotted one.”

He added, “It’s interesting to look at all the malicious npm copycat packages released recently. You can see their evolution. They start out with pretty much the same code base as the PoC released by researcher Alex Birsan and they gradually start getting creative.”