Few days ago a surprisingly simple method was released that allows attacking dependencies in applications which are developed using internal package repositories. The researchers who identified the problem they were able to run your code on the internal servers of 35 companies, including PayPal, Microsoft, Apple, Netflix, Uber, Tesla, and Shopify.
The hacks were carried out as part of the Bug Bounty programs, in coordination with the attacked companies, and the perpetrators have already received $ 130.000 in bonuses for identifying vulnerabilities.
The method is based on the fact that many companies use standard repository dependencies of NPM, PyPI and RubyGems in their internal applications, as well as internal dependencies that are not publicly distributed or downloaded from their own repositories.
The problem is that package managers like npm, pip and gem They try to download the internal dependencies of the companies, even from the public repositories. For an attack, just define the names of the packages with internal dependencies and create your own packages with the same names in the public repositories of NPM, PyPI and RubyGems.
The problem is not specific to NPM, PyPI, and RubyGems, and it also manifests itself on other systems such as NuGet, Maven, and Yarn.
When downloading dependencies, the package managers npm, pip, and gem mainly installed packages from the primary public repositories NPM, PyPI, and RubyGems, which were considered higher priority.
The presence of similar packages with the same names in private company repositories was ignored without showing any warning or causing crashes that could attract the attention of administrators. In PyPI, the download priority was influenced by the version number (regardless of the repository, the most recent version of the package was downloaded). In NPM and RubyGems, the priority was only repository dependent.
The researcher has placed packages in repositories of NPM, PyPI and RubyGems that cross the names of the found internal dependencies, adding code to the script that runs before installation (pre-installed in NPM) to collect information about the system and send the information received to the external host.
To convey information on the success of the hack, bypass firewalls blocking external traffic, the method of organizing covert channel communications over the DNS protocol. The code that was running resolved the host in the attacking domain under the control of the attacking domain, which made it possible to collect information about successful operations on the DNS server. Information about host, username and current path was passed.