A researcher was able to breach 35+ companies, including Microsoft and Apple, using a software supply chain attack that leveraged an open source ecosystem flaw
here's how to protect against it Tweets: Pukhraj Singh / @rungrage : Being so out in the public domain, this is going to be a house of pain for software companies. On the policy side: this is why international law can't even begin to account for borders, boundaries & critical infrastructure. Labyrinths within labyrinths. https://medium.com/... Sanjiva Weerawarana / @sanjiva : Very interesting read on software supply chain security issues: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/... @jacobian : Yikes, this is really bad: https://medium.com/... I'm not sure what the fix looks like. For now, if you're using private package repos, be extremely careful until a more holistic fix can be made. https://twitter.com/... @doctorow : In “Dependency Confusion,” security researcher @alxbrsn describes how he made a fortune in bug bounties by exploiting a new supply-chain attack he calls “dependency confusion,” which allowed him to compromise “Apple, Microsoft and dozens of others.” https://medium.com/... 1/ https://twitter.com/... Sam Newman / @samnewman : Great stuff - brilliant even - but also incredibly disturbing. https://twitter.com/... Reuben Binns / @rdbinns : ‘Dependency confusion’: “Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.” https://www.bleepingcomputer.com/ ... Benjamin Balder Bach / @benjaoming : If you're using internal repositories with PyPi or NPM or RubyGems, your internal and trusted package can be replaced by an external malware package merely by the hacker guessing its name. https://www.bleepingcomputer.com/ ... Sam Stepanyan / @securestep9 : Major companies including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber compromised in a novel software supply chain attack. Malware was placed in open source repositories, which then got distributed downstream into the applications: https://www.bleepingcomputer.com/ ... Markus Alvila / @raredata : If you're developing or maintaining software relying on private packages (especially JavaScript, Python, Ruby), learn about this novel supply chain attack. Apple, Microsoft, Uber, Netflix, (...) were all vulnerable: https://medium.com/... @knurd42 : “'[...] The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company's internal applications. [...]"' https://www.bleepingcomputer.com/ ...