This repository has been archived by the owner on Dec 29, 2022. It is now read-only.
Security Vulnerability(Usage of unclaimed npm package leads to RCE) #277
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In this file there is a dependency named as "axiom-base" with 1.0.0 version.
I searched for this package and there was no package in npmjs.com
So I published a package with same name "axiom-base" with higher version "3.0.0".
We can see at: https://www.npmjs.com/package/axiom-base
This vulnerability is famous "Dependency Confusion Attack"
Reference: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Attack scenario:
If these package had been claimed by an attacker, this would have led to arbitrary code execution on the affected server.
The text was updated successfully, but these errors were encountered: