"Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple"

An ethical hacker named Alex Birsan has demonstrated a novel supply-chain attack that breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, and Uber, by exploiting public, open-source developer tools.  The attack injects malicious code into common tools for installing dependencies in developer projects that typically use public depositories from GitHub sites. The malicious code then uses these dependencies to propagate malware through a targeted company's internal applications and systems.  Once he began to target companies with his attack, he stated that "the success rate was simply astonishing."  The vulnerability he exploited, which he called dependency confusion, was detected inside more than 35 organizations to date and across three tested programming languages Python, Ruby, and Java.  The researcher received more than $130,000 in both bug bounties and pre-approved financial arrangements with targeted organizations.

Threatpost reports: "Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple"