Security News > 2021 > February > Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks
Organizations leverage software dependencies for various purposes within their environments, but they are not always aware of the risks associated with this practice, especially if they are not able to efficiently keep track of packages that are used from public repositories.
To show the risks associated with using improperly managed public packages, Birsan decided to look for dependencies that known companies use, and show how these dependencies could be abused by threat actors to breach the targeted organizations.
The main issue that he discovered was that, although code used internally within the targeted environments does say which packages to use, it doesn't always dictate where these packages should be sourced from.
Thus, Birsan came up with the idea of researching for the names of both private and public packages used by the targeted companies, creating his own packages using the same names, and storing these packages on public repositories, in hopes that they would be loaded instead of legitimate packages.
During his research, Birsan discovered multiple package names on GitHub and other major package hosting services, as well as in posts on internet forums.
During the second half of 2020, Birsan discovered hundreds of JavaScript package names not claimed on the npm registry, and proceeded to upload his own code to hosting services under all the discovered names.