Dependency Confusion Attack

The Story of a Novel Supply Chain Attack

Hello readers, so today I’m gonna talk about Dependency Confusion Attack and how to perform this attack in the real world. This attack comes into the picture when the user wants to install any sort of package, library, repos, etc. from the internet. Usually, the user only needs to specify the name or source of the library, and the package manager handles download and installation on its own. These package managers have become simpler by abstracting the complex logic of managing packages from the user and leading to supply chain attacks.

Before we dwell more on the attack part let’s understand the basics of it.

1. What are the packages and dependencies?

So basically, a package is a module that can be added to any program to add additional options, features, or functionality. We have different package managers for all the OS, for example, if you want to install some libraries onto your Ubuntu machine to be done by “apt-get” something like this right? or if you have a macOS you install it using homebrew. We all might have seen GitHub tools that have a .txt file and usually contains all the latest modules and dependent packages. If you wanted to install some packages for particular languages like python, there’s this “pip” which is a python package manager and for node, it is “npm” so these are public registry npm js and python-pip you might have used it.

pip install package_name

So, for different programming languages, we have different package managers for themselves.

2. Public and Private registries

Talking about the public registries, we have one example “npm js” which has a lot of packages, of course, the public packages which you could download and use for your own personal reference, and there is a private package also but for that, you need to pay, you can host your own private repositories as well similarly there is this python package manager which has a public repository. So private registries are where you host your own created modules and the natural question that hits your mind is “Why would someone create a private registry?” So basically what happens is a lot of companies create their own modules which are consumed in-house and to consume this in-house they don’t want these to be publicly available because that’s their proprietary code so they host these packages on their own private registries. One of the most common hosting libraries or registries is “Verdaccio”.

3. Setting up a basic node project

Now we will be setting up a basic node project so that I could make you understand the Confusion Attack. So let’s take an example, I have created a basic node hello-world project, and here’s the package.json file so in this file we have all details, like the name of the package; its version, etc. The link to my project 👇

https://github.com/InfoSecAntara/Node-Hello-World

You can also create your own private npm repo with the following command

npm init

Create your own private repo

So yeah now we have a basic package or node program ready so every node program must have a “package.json” which you know that’s the “npm” what are different dependencies and what are different scripts that are the author license and everything.

4. Installing public dependencies, for example express js

So now let’s install public dependencies into it, maybe I want to install this express js so here’s the command you just have to copy and paste onto your terminal.

npm i express

installing Public repo

Cool, the packages are now locally installed onto your machine, so it would create a node module, and also add it into the dependencies, so if you would “ls -alh” you would see node modules.

Node modules installed

If you would remember the private repo we created and has the dependencies keys that were added in the “package.json” and it contains this express module so the version is also mentioned and there's a tag “^”, this an operator that’s a basic use case.

package.json

5. Creating and Publishing a npm package

So for creating our own private repos, we would be using the “verdaccio” platform, please watch the video below 👇

Reference:
https://github.com/verdaccio/verdaccio

install with: “npm install — global verdaccio@6-next — registry https://registry.verdaccio.org/

Get started with:- “verdaccio”

create a user and log in
“npm adduser — registry http://localhost:4873

publish your package
“npm publish — registry http://localhost:4873” → let’s create package 1st → command — “npm init”

For one-off commands or to avoid setting the registry globally:
“NPM_CONFIG_REGISTRY=http://localhost:4873 npm i”

6. Understanding Confusion Attack

Dependency Confusion Attack is basically when any user or automated build system tries to fetch the packages from the public registries and when these public registries are manipulated ones then instead of getting the actual package they would install the fake attacker's package from the public registry. Let’s have a look at the flowchart diagram.

flowchart explanation

You understand that the “npm i” command is being run and then npm looks for the “package.json” and then it checks whether the registry value is set or not, if the registry value is not set just like shown in the video above, so if found the variable is set it will accept the set value or else it will go for the public registry and fetched the required data, so here is an opportunity for a malicious actor to exploit, as when the registry value is not set, so by using the public registry manipulations with the same package name onto the public registry and make the victims to auto-install and also get it executed.

So, let’s host our newly created package onto the npm registry;

created own package to host on the npm registry

Let’s publish this package using the following command;

npm publish

package published
our own package

Our package is uploaded successfully, and now when any users will install this package they will be installing this malicious one. Further to this malicious malware scripts can also be written into these packages and attacking victims' machines.

the published package is installed

Thank you All for making out the time and reading this article.

Stay Tuned for another interesting attack!!

You can connect with me @https://github.com/InfoSecAntara

Antara is an Information, Network Security professional, and a Security Researcher/Auditor.