Researcher Hacks Apple and Microsoft

A researcher claims to have hacked into the internal systems of major companies including Apple and Microsoft using a novel supply chain attack. 

Alex Biran created malicious node packages and uploaded them to the npm registry under unclaimed names. The node packages collected information through their preinstall script about the machines upon which they were installed. 

Next, Biran came up with a way to get the packages to send information back to him. 

"Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go," wrote Biran.

The data was hex-encoded and used as part of a DNS query, which reached the researcher's custom authoritative name server, either directly or through intermediate resolvers. Biran then found private package names inside JavaScript files. 

"Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way," Biran wrote.

In the latter half of 2020, Biran scanned millions of domains belonging to targeted companies and extracted hundreds of JavaScript package names that hadn't been claimed on the npm registry. He uploaded his malicious code to the package-hosting services and achieved a success rate that he described as "simply astonishing."

"Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," said Biran.

"This type of vulnerability, which I have s ..

Support the originator by clicking the read the rest link below.