- https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
- https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
- https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf
it looks like if someone were to create a public package with a higher version than the internal package, this could potentially compromise a site.
Currently, we're under the assumption that we look for a private package withing an internal registry and find it, we don't look for newer packages externally.
- Figure out the actual process we're using to locate internal vs external packages.
- See if we need to make any changes in how our process works to avoid any potential leaks.
- Verify that no manifest files for our projects are public.
$ npm install --save blue-emu
Require module in app/index.js
require('blue-emu');
Look for console log during app startup. Verify that it says public test
and not private test
.
*************** blue-emu public test ***************