rce via dependency confusion

this write-up covers how i discovered a dependency confusion vuln on a private h1 program (referred to as orgxyz) and achieved remote code execution.

while running ffuf on engineering.orgxyz.com, i found a publicly accessible package-lock.json file with 100+ packages.

package-lock.json screenshot

this sparked the idea to test for dependency confusion — a technique where an attacker uploads a malicious package to npm with the same name as an internal one, hoping the internal app pulls it. [read more]

luckily, the json file contained npm registry URLs. i wrote a script to check which ones returned 404s.

registry urls

found one: orgxyz-css-1.0.4 → missing.

i registered the same name on npm, added some callback logic, and pushed it with a higher version.

next steps:

  1. create npm account
  2. build index.js to ping burp collaborator or canary
    3. index.js
  3. create package.json with higher version + same name
    4. package.json
  4. publish & wait
  5. 3 hrs later — canary token triggered
    6. canary trigger
  6. built another version with os command exec + data exfil to burp
  7. an hour later — received callback output
    8. collab url
  8. validated everything → submitted report → got bounty

timeline: