Supply chain attacks or attacks on open-source software are spreading like no other disease. It includes examples like Dependency confusion, log4j, JS packages attacks, Gem attacks on ruby, and A LOT of examples. In this briefing, we will focus on a specific aspect of Supply-Chain Attacks: the vulnerability of JS packages to account takeover when the email address of the package maintainer expires. This may sound less impactful, but the reality is far from it. Just one package could be used by hundreds of thousands of applications, and the impact of such an attack would be devastating. We will demonstrate how an innocent JS package can become a disaster, and how a registry account takeover can evade detection even by security tools such as Dependabot, SAST, and DAST. We have conducted extensive research on this issue, scanning the internet for widely-used JS packages and collecting over 2.1 million packages with millions of downloads. We extracted the email addresses of these packages and scanned the domains to identify expired ones. Scanning 2.1 Million JS packages to find the account take overable vulnerable packages and then identifying the download numbers for the vulnerable ones to make a point of impact of this vulnerability. We will be presenting our own scripted tools and usage possibilities in this talk as well to prevent widespread.
Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.
- Spoke @ BlackHat MEA 2022 (Briefing: Supply-Chain Attacks)
- Featured in "The Register" for an initial workaround for the NPM dependency attacks.
- Recent security research and CVEs include - CVE-2022-2848 & CVE-2022-25523