rce via dependency confusion

this write-up covers how i discovered a dependency confusion vuln on a private h1 program (referred to as orgxyz) and achieved remote code execution.

while running ffuf on engineering.orgxyz.com, i found a publicly accessible package-lock.json file with 100+ packages.

package-lock.json screenshot

this sparked the idea to test for dependency confusion — a technique where an attacker uploads a malicious package to npm with the same name as an internal one, hoping the internal app pulls it. [read more]

luckily, the json file contained npm registry URLs. i wrote a script to check which ones returned 404s.

registry urls

found one: orgxyz-css-1.0.4 → missing.

i registered the same name on npm, added some callback logic, and pushed it with a higher version.

next steps:

  1. create npm account
  2. build index.js to ping burp collaborator or canary
  3. index.js
  4. create package.json with higher version + same name
  5. package.json
  6. publish & wait
  7. 3 hrs later — canary token triggered
  8. canary trigger
  9. built another version with os command exec + data exfil to burp
  10. an hour later — received callback output
  11. collab url
  12. validated everything → submitted report → got bounty

timeline: