Pixel Envy

Written by Nick Heer.

Dependency Confusion Can Allow Malicious Packages to Insert Themselves Into Builds

Alex Birsan:

Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names. Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way.


From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.

One of the things that is most impressive and, therefore, terrifying about this attack vector is just how clean it is. It has echoes of malicious software updates but it is even more straightforward.