Maintainers of the NPM Registry and Python Package Index (PyPI) have removed thousands of rogue packages smuggled into the repositories via the novel ‘dependency confusion’ technique.

Less than a month since security researcher Alex Birsan’s disclosure of the new method for infiltrating open source ecosystems, mischief-makers have collectively flooded the two repositories with more than 5,000 packages.

Threat actors began imitating Birsan’s exploit within 48 hours of him revealing that his ‘dummy’ packages had successfully breached ecosystems maintained by Apple, Microsoft, and PayPal.

BACKGROUND Researcher hacks Apple, Microsoft, and other major tech companies in novel supply chain attack

In a recent blog post, Sonatype security researcher Juan Aguirre said that attackers had initially plagiarized Birsan’s proof-of-concept before “gradually” becoming more “creative”.

Dependency confusion attacks seed the software ecosystem with malicious components by overriding privately-used dependency packages with malicious, public packages of the same name. This contrasts with ‘typosquatting’ packages, which instead have similar names to popular packages, an attack tactic that’s besieged repositories in recent years.

Proliferating packages

Ax Sharma, a senior security researcher at Sonatype, told The Daily Swig that the DevOps automation specialist has identified more than 8,000 ‘dependency confusion’ packages so far. They typosquat repositories, namespaces or components used by the likes of Amazon, Zillow, Lyft, and Slack.

Many exfiltrate /etc/shadow files containing hashed passwords or .bash_history files containing usernames and passwords.

PyPI maintainers, meanwhile, removed 3,653 suspicious packages associated with a single user on March 1 after the CuPy project reported on February 29 that the imminent release of its cupy-cuda112 package had been hijacked.

There was a further development on Wednesday (March 3) as Sonatype revealed that it had discovered a further 1,500 NPM packages emanating from the CuPy attacker.

Sharma said NPM had removed the first batch “within a few hours but more keep coming”.

“It’s going to be a whack-a-mole situation for the next few weeks, it seems, unless concrete validation is put in place by open source ecosystems,” Sharma warned.


Some culprits have purported to have a noble motive, while others have uploaded apparently non-malicious, or moderately malicious, packages.

For instance, The PyPI malware author, ‘RemindSupplyChainRisks’, claimed to want everyone to “pay attention to software supply chain attacks, because the risks are too great”.

However, while Sharma observed that many rogue NPM packages had a “security research purposes only” disclaimer, the spawning of a reverse shell in many cases revealed this to be a possible attempt “to fool the analyst”.

The attacks probably presaged further, “more sinister activities” ahead, he predicted.

Similarly, software vendor Qentinel has said that packages it recently detected that exploited flawed default behavior in Python package installer pip “were empty placeholder libraries”, speculating that they represented a “trial run” by nefarious actors.

Defense in depth

Last month Google’s security blog featured a proposal to create “development processes that ensure sufficient review, avoid unilateral changes, and transparently lead to well-defined, verifiable official versions” for software deemed ‘critical’.

However, Firefox CTO Eric Rescorla has since warned that such processes would create “friction” for resource-light package developers instead of often “well-funded” dependent projects.

Mozilla was instead exploring measures such as “fine-grained sandboxing to contain the impact of compromise”, and ways for component developers “to tag the dependencies they use and depend on” that would serve as an implicit testimonial (manifesting for example as ‘Firefox uses this crate’).

Sonatype’s contributions to the defense-in-depth approach required to address the problem, meanwhile, include a ‘dependency/namespace confusion checker’ script that helps developers identify whether they have fallen prey to dependency confusion attacks.

A spokesperson for GitHub, which operates the NPM Registry, told The Daily Swig that they “will continue to remove proof-of-concept exploits submitted for security research purposes under the npm Open-Source Terms”, and pointed developers to a blog post containing advice on avoiding dependency confusion attacks.

From:  Portswigger