NPM Supply Chain Attack

Last modified: 2023-07-12

An attacker might be able to lead an organization to install a malicious NPM package by abusing misconfiguration of the internal proxy server or package manager.

This page has lack of content yet.

Dependency Confusion

The PoC is available thanks to the researcher who discovered the threat.

Lock File Injection

Attackers may insert their malicious npm package into yarn.lock or package-lock.json in the target project.

References

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
https://snyk.io/blog/npm-security-preventing-supply-chain-attacks/

Others

NPM Supply Chain Attack

Dependency Confusion

Lock File Injection

References

ON THIS PAGE