New type of supply-chain attack hit Apple, Microsoft and 33 other companies


Supreme [H]ardness
Sep 24, 2001

The technique was unveiled last Tuesday by security researcher Alex Birsan. His so-called dependency confusion or namespace confusion attack starts by placing malicious code in an official public repository such as NPM, PyPI, or RubyGems. By giving the submissions the same package name as dependencies used by companies such as Apple, Microsoft, Tesla, and 33 other companies, Birsan was able to get these companies to automatically download and install the counterfeit code.
By giving the packages version numbers that were higher than the authentic ones, the targeted companies automatically downloaded and executed Birsan’s counterfeit packages.

“The success rate was simply astonishing,” Birsan wrote. He added...
Last edited: