Resources Used :

• https://www.cobalt.io/blog/a-pentesters-guide-to-dependency-confusion-attacks
• https://www.blazeinfosec.com/post/dependency-confusion-exploitation/
• https://www.websecuritylens.org/how-dependency-confusion-attack-works-and-how-to-prevent-it/

This attack is mostly caused is a type of Supply chain attack. This attack is caused when a dependency library is downloaded form a public repository instead of from where it was intended i.e. the private repo/manager because the malicious attacker was able to trick the solution into downloading the public version of the package which he controls.

How it works is that the package manager will try to always download the latest version of the package so for example if your package in private repository is [email protected] but a malicious attacker makes a package called [email protected] in npm repository then your package manager will get the malicious package made by the malicious attacker as its higher version(If not version pinned).

Basically a package manager may look for packages in public repo before private repos where they are defined.

How to Exploit :

To exploit this you have first find an internal dependency that is not listed on public npm repository you can do this by manual enumeration or using tools like JSMiner on Burp.

After you have found your target lets say its : [email protected]

An attacker can now go to npm cli in their machine and create a package with that name in npm repo using the resource here : https://docs.npmjs.com/creating-node-js-modules (Make sure the version is something absurdly high) and npm init command for this you would need to have a npm account. Then in the package.json file we can add a preinstall command which runs our reverse shell.

Then publish our package using :

npm publish --scope public