![]() Minor – Promoted when adding new features.Major – Promoted when making significant version changes, usually known breaking changes.In a nutshell, a valid semver version is constructed from 3 parts: “major”, “minor”, and “patch” Great resource about semver is and is highly recommended to checkout. To better understand this nuance, some background on NPM and semantic versioning (semver) is required. It seems the attackers’ intent is to target automatic updates of “patch” and “minor” versions as part of dependency confusion attacks. However, these end-users are not the attackers’ targets. They all have a benign latest version along with multiple malicious versions trying to exfiltrate the machine’s environment variables.Īt first glance, it seems that this kind of technique will defeat the purpose of the attack, as the malicious functionality won’t be installed by end-users using the “npm install” command, which automatically serves the package’s latest version. ![]() ![]() In the past few weeks, the Checkmarx SCS team has detected 14 malicious packages exhibiting a new behavior. It does so by publishing a benign latest version after a burst of malicious versions with high version number. This novel technique tries to avoid being detected by security scanners or AppSec platforms, which sometimes only look at the latest version of a package. Checkmarx SCS team recently detected several malicious NPM packages using a new evasion technique, enhancing dependency confusion attacks to help malicious packages avoid detection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |