#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Dependency Confusion | Breaking Cybersecurity News | The Hacker News

Category — Dependency Confusion
Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution

Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution

Sep 16, 2024 Cloud Security / Vulnerability
A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion. The vulnerability has been codenamed CloudImposer by Tenable Research. "The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool," security researcher Liv Matan said in a report shared with The Hacker News. Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository. So, a threat actor could stage a large-scale supply chain attack by publ
Apache Cordova App Harness Targeted in Dependency Confusion Attack

Apache Cordova App Harness Targeted in Dependency Confusion Attack

Apr 23, 2024 Supply Chain Attack / Application Security
Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness . Dependency confusion attacks  take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository. This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as infecting all downstream customers that install the package. A May 2023 analysis of npm and PyPI packages stored in cloud environments by enterprise security company Orca  revealed  that nearly 49% of organizations are vulnerable to a dependency confusion attack. While npm and other package managers have since introduced fixes to prioritize the private versions, application security firm Legit Security
How to Get Going with CTEM When You Don't Know Where to Start

Want To Excel in Cybersecurity Risk Management?

Georgetown UniversityWebinar / Risk Management
Manage cybersecurity risk with a Georgetown master's degree. Learn more in our Oct. 23 webinar.
PyTorch Machine Learning Framework Compromised with Malicious Dependency

PyTorch Machine Learning Framework Compromised with Malicious Dependency

Jan 02, 2023 Supply Chain / Machine Learning
The maintainers of the PyTorch package have warned users who have installed the nightly builds of the library between December 25, 2022, and December 30, 2022, to uninstall and download the latest versions following a  dependency confusion attack . "PyTorch-nightly Linux packages installed via pip during that time installed a dependency,  torchtriton , which was compromised on the Python Package Index (PyPI) code repository and ran a malicious binary," the PyTorch team  said  in an alert over the weekend. PyTorch, analogous to Keras and TensorFlow, is an open source Python-based machine learning framework that was originally developed by Meta Platforms. The PyTorch team said that it became aware of the malicious dependency on December 30, 4:40 p.m. GMT. The supply chain attack entailed uploading the malware-laced copy of a legitimate dependency named torchtriton to the Python Package Index (PyPI) code repository. Since package managers like pip check public code registr
cyber security

Master the Art of AI-powered Cybersecurity

websiteNVIDIAArtificial Intelligence / Cybersecurity
Learn to build and manage advanced AI workflows that safeguard data against emerging threats, enhancing your ability to detect and respond to potential security breaches with this free course.
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers

Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers

Dec 09, 2021
At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a  recent barrage of malicious software  hosted and delivered through open-source software repositories such as PyPi and RubyGems. DevOps firm JFrog said the libraries, now taken down, were designed to grab Discord access tokens and  environment variables  from users' computers as well as gain full control over a victim's system. "The packages' payloads are varied, ranging from infostealers up to full remote access backdoors," researchers Andrey Polkovnychenko and Shachar Menashe said in a  report  published Wednesday. "Additionally, the packages have different infection tactics, including typosquatting,  dependency confusion  and trojan functionality." The list of packages is below - prerequests-xcode (version 1.0.4) discord-selfbot-v14 (version 12.0.3) discord-lofy (version 11.5.1) discordsystem (version 11.5.1) discord-vilao (version 1.0.0) fix-e
Expert Insights / Articles Videos
Cybersecurity Resources