IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Malicious ‘dependency confusion’ packages are stealing password files

The new vulnerability is targeting Amazon, Zillow, Lyft, and Slack code repositories

Security researchers have identified malicious code in JavaScript repositories that could enable hackers to steal password files in Linux and Unix systems.

According to cyber security firm Sonotype, these “dependency confusion” packages are published to the npm ecosystem and named after repositories, namespaces, or components companies commonly use, such as Amazon, Zillow, Lyft, and Slack. These malicious packages include amzn, zg-rentals, lyft-dataset-sdk, and serverless-slack-app.

Hackers created packages using names similar to ones found in a legitimate organization’s internal repositories. In public repositories, such internal names can be found referenced in public code repositories, such as GitHub, in source code files. 

When hosted on a public site, dependency managers use these packages rather than internal ones belonging to a company when creating an application.

This "dependency confusion" enables hackers to insert their malicious code into an internal application to carry out a supply-chain attack. Researchers said many of these packages have no disclaimers or code comments in place that indicate these are linked to any kind of ethical bug bounty program or created for security research purposes. 

While having such a disclaimer is no guarantee a package’s author is working in good faith, a lack of one can surely raise alarm bells, especially when combined with malicious code, said researchers.

“As soon as these packages are installed automatically because they share a name with an internal dependency (thereby exploiting “dependency confusion”), they exfiltrate the user’s .bash_history file and /etc/shadow, and in some cases spawn a reverse shell,” said researchers.

In one example, a package named “amzn” contained code that opened a reverse shell to their server, which would spawn as soon as the `amzn` package infiltrated the vulnerable build. It also displayed the contents of a /etc/shadow file.

The /etc/shadow file is a successor to the /etc/passwd Linux file that maintains hashed password data of user accounts on a system.

“Although the file is typically restricted to “superuser” accounts, there remains a slight chance of a malicious actor, in this case, being able to obtain the file should the infected machine be running npm with elevated privileges,” said researchers.

Sonatype security researcher Juan Aguirre said he was “starting to wonder when we were going to see a malicious actor take advantage of the current situation. Finally, we've spotted one.”

“There is no scenario I can imagine where I'm going to submit a PoC for a bug bounty program that actually harms the organization. Taking their /etc/shadow file is definitely harmful,” he added.

In creating these malicious packages, hackers have used the same code base as the proof-of-concept PoC released by security researcher Alex Birsan, who discovered this flaw. The hackers then got creative.

“These packages stood out because they reflect the behavior of actual malware, a first stage payload to grab a binary which further grabs your bash history,” said Aguirre.

While some malicious packages steal the /etc/shadow password file, some others, such as “lyft-dataset-sdk” and “serverless-slack-app,” steal a .bash_history file and send it to a remote host under the hacker’s control. This file lists all commands typed into a shell, including passwords. This enables hackers to harvest credentials.

Researchers said they only expect this trend to increase, with adversaries abusing dependency confusion to conduct even more sinister activities.

Organizations have been urged to download a “dependency/namespace confusion checker” script from GitHub to check if they have artifacts with the same name between repositories and determine if a dependency confusion attack has impacted them in the past.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Solve cyber resilience challenges with storage solutions
Whitepaper

Solve cyber resilience challenges with storage solutions

4 Jul 2022
Storage's role in addressing the challenges of ensuring cyber resilience
Whitepaper

Storage's role in addressing the challenges of ensuring cyber resilience

4 Jul 2022
Introducing IBM Security QRadar XDR
Whitepaper

Introducing IBM Security QRadar XDR

4 Jul 2022
HackerOne employee fired for using position to steal bug bounties
Security

HackerOne employee fired for using position to steal bug bounties

4 Jul 2022

Most Popular

Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022
Latest LockBit ransomware strain 'strikingly similar' to BlackMatter
ransomware

Latest LockBit ransomware strain 'strikingly similar' to BlackMatter

4 Jul 2022