0x48 - Finding NPM Dependency Confusion

Did you know you can compromise an application without even sending one HTTP request to it?

Dependency confusion occurs when a malicious actor publishes a package to a public registry (like npm) with the same name as an internal package used by an organization


How to do it

  1. Browse the application using Burp

  2. Check for NPM modules loaded (things like define(["exports","../node_modules/@organization-name/package-name/)

  3. Check if the organization is registered on https://www.npmjs.com/

  4. If not, register it and create the package name with your malicious code

Here is a detailed guide: https://deephunt3r.medium.com/dependency-confusion-4d675eb36e0f