0x48 - Finding NPM Dependency Confusion
Did you know you can compromise an application without even sending one HTTP request to it?
Dependency confusion occurs when a malicious actor publishes a package to a public registry (like npm
) with the same name as an internal package used by an organization
How to do it
Browse the application using Burp
Check for NPM modules loaded (things like
define(["exports","../node_modules/@organization-name/package-name/
)Check if the organization is registered on
https://www.npmjs.com/
If not, register it and create the package name with your malicious code
Here is a detailed guide: https://deephunt3r.medium.com/dependency-confusion-4d675eb36e0f