Last week, a researcher demonstrated a new supply-chain attack that executed counterfeit code on networks belonging to some of the biggest companies on the planet, Apple, Microsoft, and Tesla included. Now, fellow researchers are peppering the Internet with copycat packages, with more than 150 of them detected so far.
The technique was unveiled last Tuesday by security researcher Alex Birsan. His so-called dependency confusion or namespace confusion attack starts by placing malicious code in an official public repository such as NPM, PyPI, or RubyGems. By giving the submissions the same package name as dependencies used by companies such as Apple, Microsoft, Tesla, and 33 other companies, Birsan was able to get these companies to automatically download and install the counterfeit code.
Dependencies are public code libraries or packages that developers use to add common types of functionality to the software they write. By leveraging the work of thousands of their open source peers, developers are spared the hassle and expense of creating the code themselves. The developer’s code automatically downloads and incorporates the dependency, or any update to it, either from the developer’s local computer or from a public repository.