Security Experts:

Connect with us

Hi, what are you looking for?



Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.

Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.

Organizations leverage software dependencies for various purposes within their environments, but they are not always aware of the risks associated with this practice, especially if they are not able to efficiently keep track of packages that are used from public repositories.

To show the risks associated with using improperly managed public packages, Birsan decided to look for dependencies that known companies use, and show how these dependencies could be abused by threat actors to breach the targeted organizations.

The main issue that he discovered was that, although code used internally within the targeted environments does say which packages to use, it doesn’t always dictate where these packages should be sourced from.

Thus, Birsan came up with the idea of researching for the names of both private and public packages used by the targeted companies, creating his own packages using the same names, and storing these packages on public repositories, in hopes that they would be loaded instead of legitimate packages.

Birsan started with his own “malicious” Node package uploaded to the npm registry, which contained code to fingerprint the system and report back with enough information to allow for the identification of the targeted organization.

Related Reading: PayPal Patches Vulnerability That Exposed User Passwords

“To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname, and current path of each unique installation. Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports,” the researcher explains.

With most targets within corporate networks, the researcher leveraged DNS exfiltration as means to ensure that the gathered information is indeed sent back to his server.

Furthermore, to ensure that he could identify as many targets as possible, the researcher ported the code to both Python and Ruby, and uploaded packages to PyPI (Python Package Index) and RubyGems.

During his research, Birsan discovered multiple package names on GitHub and other major package hosting services (including the names of internal packages that were accidentally made public), as well as in posts on internet forums.

“Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names,” the researcher notes.

During the second half of 2020, Birsan discovered hundreds of JavaScript package names not claimed on the npm registry, and proceeded to upload his own code to hosting services under all the discovered names.

“One thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan reveals.

More than 35 organizations were found vulnerable to this type of attack – which the researcher called dependency confusion – most of them with over 1,000 employees each. Because JavaScript dependency names were easier to find, most of the callbacks (75%) came from npm packages.

Affected organizations include Shopify, which issued a $30,000 bug bounty for the discovery, Apple, also with a $30,000 reward, PayPal, also with a $30,000 bounty payout, and Microsoft, with a $40,000 reward. Other major companies that were found to be impacted include Netflix, Yelp and Uber.

All of the targeted organizations had provided permissions to have their security tested, either through public bug bounty programs, or through private agreements, the researcher notes.

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Related: GitHub Helps Developers Keep Dependencies Secure via Dependabot

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.