Workload misconfigurations

NPM package potentially vulnerable to dependency confusion attack

Platform(s)
  • Non-platform specific

Compliance Frameworks
  • CPRA
  • ,
  • iso_27001_2022
  • ,
  • iso_27002_2022
  • ,
  • NIST 800-53

Description

A Dependency Confusion attack occurs when a software installer script is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository. It was found that the package was found missing from NPM Public Registry. A bad actor can abuse such scenario to create a malicious NPM package and register it in the public NPM Registry with the same name.