Dependency confusion attacks, where package managers override local packages with global ones, are flourishing, impacting Microsoft, Zillow, Lyft, and others
Dan Goodin / Ars Technica : Tweets: @llkkat , @ckstechnews , @naupliustrevor , @adam_baldwin , and @sambreed Tweets: Ilkka Turunen / @llkkat : So by our calculations Dependency Confusion copycats number near 6k at this point, just yesterday we saw 1.5k more in npm. This follows well-established supply chain strategies. There is evidence not all of them are just security research. https://blog.sonatype.com/... @ckstechnews : A new type of supply-chain attack with serious consequences is flourishing Via: https://www.contrastsecurity.com/ ... Source: https://blog.sonatype.com/... Microsoft Guidance: https://azure.microsoft.com/ ... https://twitter.com/... Trevor Seward / @naupliustrevor : https://arstechnica.com/... Don't forget your if(true === true){console.log("true")}; package. Can we replace JS package managers with something sane, yet? Adam Baldwin / @adam_baldwin : Avoiding npm substitution attacks by @izs TL;DR 1. Use scopes for internal packages. 2. Use a .npmrc file in the root of a project to set the intended registry. 3. Take care when proxying. 4. Respond quickly to build failures. https://github.blog/... @sambreed : This is scary. I wonder if using a private npm namespace ("@\your-company") with a separately configured registry URL is enough to nerf it... I guess just make sure you also own that namespace on the public registry! https://www.bleepingcomputer.com/ ...