This repository is home to the Lockfile Injection research, disclosed in 2019 by Liran Tal.
It was originally published in September 2019 as Why npm lockfiles can be a security blindspot for injecting malicious modules on the Snyk blog.
This open source repository is a continuation of the original research which revealed flaws in popular JavaScript package managers like npm and yarn.
npm Lockfile Injection resources:
- A published article: Why npm lockfiles can be a security blindspot for injecting malicious modules
Tooling:
Ruby Lockfile Injection articles:
- A code repository to reproduce lockfile injection in Ruby gems installed with the Ruby bundler application
- A published article: Ruby gem installations can expose you to lockfile injection attacks
- Media coverage: Catalin Cimpanu security journalist, Ruby Weekly, Proficio, Ruby Libhunt.
This is unique. I’ve never considered that attack vector before, that someone with access to the codebase could send a PR with a malicious change to the Gemfile.lock but not touch the Gemfile.
- This security research was presented at Blackhat 2021 in a talked titled
Picking Lockfiles: Attacking & Defending Your Supply Chainby GitLab security researchers.
