Microsoft Has Warned Of a New Types of Attack on The Supply Chain


Microsoft has warned businesses about a new type of attack called a dependency confusion or substitution attack, which is about interfering with the application development process in an enterprise environment.


Nowadays, developers in both small and large companies use package managers to load and import libraries when building enterprise applications, which are then assembled together using development tools. These corporate applications are offered to customers of the company or can be used by employees for internal needs.


Sometimes, depending on the purpose, applications may also contain proprietary or sensitive code. For such programs, as a rule, private libraries are used, stored in closed (internal) repositories within the networks of the company itself. In the process of creating them, developers combine private libraries with public ones, downloaded from open portals with packages such as PyPI, NuGe, etc. According to Microsoft experts, cybercriminals can take advantage of this mixed development environment in large corporations by carrying out a "dependency mismatch" attack.


As the experts explained, after learning the names of private libraries used in the development of corporate applications, attackers can register them in open package repositories and download public libraries with malicious code.


A "dependency mismatch" attack occurs when developers build their applications in an enterprise environment and their package managers prioritize malicious libraries from public repositories instead of internal libraries of the same name.


In order to test their assumption, the researchers decided to identify situations where large tech companies accidentally disclosed the names of various internal libraries, and register these libraries in package repositories like npm, RubyGems and PyPI. As a result, they were able to upload their code (not malicious) into applications used by 35 large companies, including Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, etc.


Apart from RubyGems and PyPI, the issue also affects other package managers such as JFrog, Maven Central and NuGet. The researchers notified all affected companies and the creators of the package managers.

Previous Post Next Post