A cybersecurity researcher has come up with an unusual attack vector for tech companies that use open source tools.
Many IT giants install packages from public repositories (such as PyPI, npm, and RubyGems).
To hack, he only needs to create a dependency with the same name but specify a newer version. Then the target system will think that an "update" has been released and download the malicious code. The file substitution worked for three programming languages - Python, Ruby, and Java.
He managed to penetrate the internal systems of 35 large organizations - including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber.
The companies paid the specialist a total of $130,000 in rewards for helping to discover security flaws.
Many IT giants install packages from public repositories (such as PyPI, npm, and RubyGems).
To hack, he only needs to create a dependency with the same name but specify a newer version. Then the target system will think that an "update" has been released and download the malicious code. The file substitution worked for three programming languages - Python, Ruby, and Java.
He managed to penetrate the internal systems of 35 large organizations - including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber.
The companies paid the specialist a total of $130,000 in rewards for helping to discover security flaws.
