Backdoor in public repository used new form of attack to target big firms

Read Time:5 Minute, 10 Second

Skull and crossbones in binary code

A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploits public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.

Dependency confusion is a new form of supply-chain attack that came to the forefront in March 2021, when a researcher demonstrated he could use it to execute unauthorized code of his choice on networks belonging to Apple, Microsoft, and 33 other companies. The researcher , Alex Birsan, received $130,000 in bug bounties and credit for developing the new attack form.

A few weeks later, a different researcher uncovered evidence that showed that Amazon, Slack, Lyft, Zillow, and other companies had been targeted in attacks that used the same technique. The release of more than 200 malicious packages into the wild indicated the attack Birsan devised appealed to real-world threat actors.

This isn’t the dependency you’re looking for

Dependency confusion exploits companies’ reliance on open source code available from repositories such as NPM, PyPI, or RubyGems. In some cases, the company software will automatically connect to these sources to retrieve the code libraries required for the application to function. Other times, developers store these so-called dependencies internally. As the name suggests, dependency confusion works by tricking a target into downloading the library from the wrong place—a public source rather than an internal one.

To pull this off, hackers scour JavaScript code, accidentally published internal packages, and other sources to discover the names of internally stored code dependencies by the targeted organization. The hackers then create a malicious dependency and host it on one of the public repositories. By giving the malicious package the same name as the internal one and using a higher version number, some targets will automatically download it and update the software. With that, the hackers have succeeded in infecting the software supply chain the targets rely on and getting the target or its users to run malicious code.

Over the past few weeks, researchers from two security firms have tracked code dependencies that used maintainer and package names that closely resembled those that might be used by four German companies in the media, logistics, and industrial sectors. The package names and corresponding maintainer names were:

  • bertelsmannnpm;
  • boschnodemodules;
  • stihlnodemodules;
  • dbschenkernpm;

Based on those names, the researchers deduced that the packages were designed to target Bertelsmann, Bosch, Stihl, and DB Schenk.

Inside each package was obfuscated code that obtained the target’s username, hostname, and the file contents of specific directories and exfiltrated them through HTTPS and DNS connections. The malicious package would then install a backdoor that reported to an attacker-operated command and control server to fetch instructions, including:

  • Download a file from the C2 server
  • Upload a file to the C2 server
  • Evaluate arbitrary Javascript code
  • Execute a local binary
  • Delete and terminate the process
  • Register the backdoor on the C2 server

Researchers from JFrog and ReversingLabs—the two security firms that independently discovered the malicious packages—quickly found they were part of the same family as malicious packages that security firm Snyk found last month. While Snyk was the first to spot the files, it didn’t t have enough information to identify the intended target.

Plot twist

On Wednesday, just hours before both JFrog and ReversingLabs posted blogs here and here, a penetration testing boutique named Code White took credit for the packages.

“Tnx for your excellent analysis,” the firm said in a tweet that addressed Snyk and cited its blog post from last month. “And don’t worry, the ‘malicious actor’ is one of our interns 😎 who was tasked to research dependency confusion as part of our continuous attack simulations for clients. To clarify your questions: we’re trying to mimic realistic threat actors for dedicated clients as part of our Security Intelligence Service and we brought our ‘own’ package manager that supports yarn and npm.”

In a direct message, Code White CEO David Elze said the company intern created and posted the packages as part of a legitimate penetration-testing exercise explicitly authorized by the companies affected.

“We do not disclose the names of our clients but specifically, I can confirm that we’re legally contracted by the affected companies and were acting on their behalf to simulate these realistic attack scenarios,” Elze said.

Code White’s involvement means that the dependency confusion attacks discovered by Snyk and later observed by JFrog and ReversingLabs weren’t a sign that real-world exploits of this vector are ramping up. Still, it would be a mistake to think that this attack class is never used in the wild and won’t be again.

In March, security firm Sonatype uncovered malicious packages posted on npm that targeted Amazon, Slack, Lyft, and Zillow. These packages contained no disclaimers indicating that they were part of a bug bounty program or a benign proof-of-concept exercise. What’s more , the packages were programmed to exfiltrate sensitive user information, including bash history and the contents of /etc/shadow, the directory where Linux user password data is stored. In some cases, the packages also opened a reverse shell.

JFrog has also spotted malicious attacks in the wild, including the previously mentioned presence of more than 200 packages on npm for various Azure projects that stole personal information from developers’ computers.

That means that even though this latest discovery was a false alarm, malicious dependency confusion attacks do occur in the wild. Given the dire consequences that could arise from a successful one, organizations should invest time testing their systems or use the services of companies like Snyk, JFrog, ReversingLabs, or Sonatype, all of which monitor open source ecosystems for vulnerabilities and exploits.

go to see more here in tech news

0 %
0 %
0 %
0 %
0 %
0 %
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Who we are

Suggested text: Our website address is:


Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.


Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Suggested text: Visitor comments may be checked through an automated spam detection service.
Save settings
Cookies settings