Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple

2021-02-10 13:49

These installers-such as Python Package Index for Python or npm and the npm registry for Node-are usually tied to public code repositories where anyone can freely upload code packages for others to use, Birsan noted.

Birsan decided to answer this question last summer while attempting to hack PayPal with another ethical hacker, Justin Gardner, who shared with him "An interesting bit of Node.js source code found on GitHub," Birsan said.

The code, which was meant for internal PayPal use, had in its package.

Json file a mix of public and private dependencies, including public packages from npm, as well as non-public package names, most likely hosted internally by PayPal, that did not exist on the public npm registry at the time.

He combed private package names belonging to targeted companies to find as many relevant dependency names as possible.

His search revealed that many other names could be found on GitHub, as well as on the major package hosting services-inside internal packages which had been accidentally published-and even within posts on various internet forums.

News URL

https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/

#apple #breaches #hack #microsoft #paypal #supplychain

Related vendor

VENDOR	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Microsoft	725	810	4726	4731	3648	13915
Apple	138	584	4214	1629	2414	8841
Paypal	19	3	20	0	1	24