Enterprise Dependency Confusion

discovered 2025-01-16

Dependency-confusion packages that mimic the private/internal package names of specific enterprises (Hyatt, Schedaero, Coca-Cola, Genoma and others) and beacon host and environment data to attacker-controlled collectors such as Burp Collaborator, requestcatcher and disposable inboxes.

more…

Objective

Achieve code execution inside targeted organizations by winning the public/private package name resolution race.

Packages

npm chrome-api-utilsattributed-to
npm grafana-sentry-datasourceattributed-to
npm @patternfly-v5/patternflyattributed-to
npm electron-builder-13attributed-to
npm graphql.vscode-graphql-syntaxattributed-to
npm mattermost-cloudnative-bootstrapperattributed-to
npm hyatt-residential-rosterattributed-to
npm hyatt-albumattributed-to
npm hyatt-avatarattributed-to
npm @Schedaero/sharedattributed-to
npm oc-aa-module-clientattributed-to
npm @wame/ngx-adfsattributed-to
npm @the-coca-cola-company/ngps-global-common-utilsattributed-to
npm cr-static-shared-componentsattributed-to
npm @ceeferenderer/fe-renderer-sdkattributed-to
npm @genoma-ui/componentsattributed-to
npm rrweb-v1attributed-to
npm @needl-ai/commonattributed-to

Indicators

email jaddyday2@gmail.comexfiltrates-to
domain 64.227.183.144communicates-with
ipv4 64.227.183.144communicates-with
email victim59@proton.meexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1036 Masqueradinguses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1546 Event Triggered Executionuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses

Read the full analysis →