this write-up covers how i discovered a dependency confusion vuln on a private h1 program (referred to as orgxyz) and achieved remote code execution.
while running ffuf on engineering.orgxyz.com
, i found a publicly accessible package-lock.json
file with 100+ packages.
this sparked the idea to test for dependency confusion — a technique where an attacker uploads a malicious package to npm with the same name as an internal one, hoping the internal app pulls it. [read more]
luckily, the json file contained npm registry URLs. i wrote a script to check which ones returned 404s.
found one: orgxyz-css-1.0.4 → missing.
i registered the same name on npm, added some callback logic, and pushed it with a higher version.
index.js
to ping burp collaborator or canarypackage.json
with higher version + same name