Security News > 2021 > March > Malicious NPM packages target Amazon, Slack with new dependency attacks
Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new 'Dependency Confusion' vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers.
When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company's internal packages when building the application.
Since our report, BleepingComputer has been waiting for malicious actors to utilize this new vulnerability to deliver malicious packages.
These malicious packages are named 'amzn', 'zg-rentals', 'lyft-dataset-sdk', 'serverless-slack-app' and utilize similar names as known repositories on GitHub [1, 2] and other projects.
The 'amzn' and 'zg-rentals' NPM packages will not only steal the /etc/shadows password file and send it back to the attackers but also open up a remote shell, giving the threat actors full access to the system.
With the open and public nature of repositories and the ease of creating dependency confusion attacks, we should expect to see this type of attack continue until application developers secure their configuration files.