Enterprise Dependency Confusion

Dependency-confusion packages that mimic the private/internal package names of specific enterprises (Hyatt, Schedaero, Coca-Cola, Genoma and others) and beacon host and environment data to attacker-controlled collectors such as Burp Collaborator, requestcatcher and disposable inboxes.

discovered 2025-01-16

↓ JSON ↓ CSV

Objective

Achieve code execution inside targeted organizations by winning the public/private package name resolution race.

Packages

npmchrome-api-utilsattributed-to
npmgrafana-sentry-datasourceattributed-to
npm@patternfly-v5/patternflyattributed-to
npmelectron-builder-13attributed-to
npmgraphql.vscode-graphql-syntaxattributed-to
npmmattermost-cloudnative-bootstrapperattributed-to
npmhyatt-residential-rosterattributed-to
npmhyatt-albumattributed-to
npmhyatt-avatarattributed-to
npm@Schedaero/sharedattributed-to
npmoc-aa-module-clientattributed-to
npm@wame/ngx-adfsattributed-to
npm@the-coca-cola-company/ngps-global-common-utilsattributed-to
npmcr-static-shared-componentsattributed-to
npm@ceeferenderer/fe-renderer-sdkattributed-to
npm@genoma-ui/componentsattributed-to
npmrrweb-v1attributed-to
npm@needl-ai/commonattributed-to

Indicators

email[email protected]exfiltrates-to
domain64.227.183.144communicates-with
ipv464.227.183.144communicates-with
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1036 Masquerading: package impersonation and typosquattinguses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1546 Event Triggered Executionuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses

Read the full analysis →