You have probably heard of these tools already — Node has npm and the npm registry, Python’s pip uses

Ever since I started learning how to code, I have been fascinated by the level of trust we put in a simple command like this one:
Some programming languages, like Python, come with an easy, more or less official method of installing dependencies for your projects. These installers are usually tied to public code repositories where anyone can freely upload code packages for others to use.
You have probably heard of these tools already — Node has npm and the npm registry, Python’s pip uses PyPI (Python Package Index), and Ruby’s gems can be found on… well, RubyGems.
When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors?
Of course it can.
None of the package hosting services can ever guarantee that all the code its users upload is malware-free. Past research has shown that typosquatting — an attack leveraging typo’d versions of popular package names — can be incredibly effective in gaining access to random PCs across the world.
Other well-known dependency chain attack paths include using various methods to compromise existing packages, or uploading malicious code under the names of dependencies that no longer exist.
The Idea
While attempting to hack PayPal with me during the summer of 2020, Justin Gardner (@Rhynorater) shared an interesting bit of Node.js source code found on GitHub.
The code was meant for internal PayPal use, and, in its package.json file, appeared to contain a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal. These names did not exist on the public npm registry at the time.
With the logic dictating which package would be sourced from where being unclear here, a few questions arose:
What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?
Will developers, or even automated systems, start running the code inside the libraries?
If this works, can we get a bug bounty out of it?
Would this attack work against other companies too?
Without further ado, I started working on a plan to answer these questions.
The idea was to upload my own “malicious” Node packages to the npm registry under all the unclaimed names, which would “phone home” from each computer they were installed on. If any of the packages ended up being installed on PayPal-owned servers — or anywhere else, for that matter — the code inside them would immediately notify me.
https://magicseaweed.com/User/Profile/1575308/
https://magicseaweed.com/User/Profile/1575315/
https://magicseaweed.com/User/Profile/1575317/
https://magicseaweed.com/User/Profile/1575324/
https://magicseaweed.com/User/Profile/1575327/
https://magicseaweed.com/User/Profile/1575330/
https://magicseaweed.com/User/Profile/1575333/
https://magicseaweed.com/User/Profile/1575334/
https://magicseaweed.com/User/Profile/1575339/
https://magicseaweed.com/User/Profile/1575342/
https://magicseaweed.com/User/Profile/1575343/
https://magicseaweed.com/User/Profile/1575344/
https://magicseaweed.com/User/Profile/1575346/
https://magicseaweed.com/User/Profile/1575348/
https://magicseaweed.com/User/Profile/1575350/
https://battlefy.com/%5Bhd-watch-bliss-2021-online-full-movie-free
https://battlefy.com/coming-2-america-2021-online-full-movie-free
https://battlefy.com/hd-watch-twist-2021-online-full-movie-free
https://battlefy.com/hd-watch-seungriho-2021-online-full-movie-free
https://battlefy.com/123movies-hd-watch-outside-the-wire-2021-online-full-movie-free
https://battlefy.com/hd-watch-demon-slayer-mugen-train-2020-online-full-movie-free
https://battlefy.com/hd-watch-monster-hunter-2020-online-full-movie-free
https://battlefy.com/hd-watch-the-marksman-2021-online-full-movie-free
https://battlefy.com/hd-watch-barb-and-star-go-to-vista-del-mar-2021-online-full-movie-free
https://magicseaweed.com/User/Profile/1575386/
https://magicseaweed.com/User/Profile/1575391/
https://magicseaweed.com/User/Profile/1575394/
https://magicseaweed.com/User/Profile/1575396/
https://magicseaweed.com/User/Profile/1575400/
https://magicseaweed.com/User/Profile/1575402/
https://magicseaweed.com/User/Profile/1575403/
https://magicseaweed.com/User/Profile/1575404/
https://magicseaweed.com/User/Profile/1575406/
https://magicseaweed.com/User/Profile/1575407/
https://magicseaweed.com/User/Profile/1575411/
https://magicseaweed.com/User/Profile/1575413/
https://abfredere30111.medium.com/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies-db1f138e5e75
https://www.thewyco.com/general/ever-since-i-started-learning-how-to-code-i-have-been-fascinated-by-the-level-of-trust-we-put-10-02-2021
https://myanimelist.net/blog.php?eid=843084
https://mlog.club/article/6196400
https://maharanipook.cookpad-blog.jp/articles/570552
http://veterinaren.nu/forum/katt/148379/1/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies
https://caribbeanfever.com/photo/albums/asffesdrfewrfewr
http://sfbats.ning.com/photo/albums/awrfwertewtwet
http://network-marketing.ning.com/photo/albums/aetwewewetrt
http://www.onfeetnation.com/photo/albums/saefgtetgertgret
https://dcm.shivtr.com/forum_threads/3298593?post=14502809#forum_post_14502809
http://www.easymarks.org/link/189598/https-magicseaweed-com-user-profile-1575308
http://www.4mark.net/story/3193939/unsupported-browser
https://www.posts123.com/post/1330005/watch-demon-slayer-kimetsu-no-yaiba-the-movie-mugen-train-2020-full-movie
https://paste.ee/p/XMcfl
https://onlinegdb.com/rJOuUGZ-d
https://paiza.io/projects/PyBJN6Qm1YQ4hZc5bCrTLA?language=php
https://pasteio.com/xuoY6a7fEVSx
https://controlc.com/e08b3700
https://pastelink.net/2msv8
http://paste.jp/6dbb5d43/
https://slexy.org/view/s216JWHYNM
https://urlscan.io/result/7df7bcc4-ef9e-42f7-baa6-1338829199ee/
https://www.hybrid-analysis.com/sample/8754301714f63e124066ee3ab2eef0462ef9c8b22c02355b8101888145e52c87
https://verify-www.com/index.php?url=https%3A%2F%2Fmagicseaweed.com%2FUser%2FProfile%2F1575308%2F
http://simplesitebooster.com/hosted/index.php
https://www.peeranswer.com/question/60239380debd712e7ea7c770
At this point, I feel that it is important to make it clear that every single organization targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorization.
“It’s Always DNS”
Thankfully, npm allows arbitrary code to be executed automatically upon package installation, allowing me to easily create a Node package that collects some basic information about each machine it is installed on through its preinstall script.
To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname, and current path of each unique installation. Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports, while avoiding having my testing be mistaken for an actual attack.
One thing left now — how do I get that data back to me?
Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go.
Sending the information to my server through the DNS protocol was not essential for the test itself to work, but it did ensure that the traffic would be less likely to be blocked or detected on the way out.
The data was hex-encoded and used as part of a DNS query, which reached my custom authoritative name server, either directly or through intermediate resolvers. The server was configured to log each received query, essentially keeping a record of every machine where the packages were downloaded.
The More The Merrier
With the basic plan for the attack in place, it was now time to uncover more possible targets.
The first strategy was looking into alternate ecosystems to attack. So I ported the code to both Python and Ruby, in order to be able to upload similar packages to PyPI (Python Package Index) and RubyGems respectively.
But arguably the most important part of this test was finding as many relevant dependency names as possible.
A few full days of searching for private package names belonging to some of the targeted companies revealed that many other names could be found on GitHub, as well as on the major package hosting services — inside internal packages which had been accidentally published — and even within posts on various internet forums.
However, by far the best place to find private package names turned out to be… inside javascript files.
Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names. Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way.
During the second half of 2020, thanks to @streaak’s help and his remarkable recon skills, we were able to automatically scan millions of domains belonging to the targeted companies and extract hundreds of additional javascript package names which had not yet been claimed on the npm registry.
I then uploaded my code to package hosting services under all the found names and waited for callbacks.
Results
The success rate was simply astonishing.
From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.
This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages. The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations.
Due to javascript dependency names being easier to find, almost 75% of all the logged callbacks came from npm packages — but this does not necessarily mean that Python and Ruby are less susceptible to the attack. In fact, despite only being able to identify internal Ruby gem names belonging to eight organizations during my searches, four of these companies turned out to be vulnerable to dependency confusion through RubyGems.
One such company is the Canadian e-commerce giant Shopify, whose build sy