Researchers have identified a dependency confusion vulnerability affecting an archived Apache project called Wiring the Cordova app.
Dependency confusion attacks occur because package managers check public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository.
This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as the installation of all downstream customers who install the package.
A May 2023 analysis of npm and PyPI packages stored in cloud environments by cloud security firm Orca revealed that nearly 49% of organizations are vulnerable to a dependency confusion attack.
While npm and other package managers have since rolled out fixes to prioritize private versions, application security firm Legit Security said it discovered that the Cordova App Harness project references an internal dependency called cordova-harness-client without a relative file path.
The open source initiative was discontinued by the Apache Software Foundation (ASF) as of April 18, 2019.
As Legit Security demonstrated, this left the door open to a supply chain attack by uploading a malicious version of the same name with a higher version number, thus forcing npm to retrieve the bogus version from the public registry.
Since the bogus package attracted over 100 downloads after being uploaded to npm, it indicates that the archived project is still in use, possibly posing serious risks to users.
In a hypothetical attack scenario, an attacker could hijack the library to deliver malicious code that could be executed on the target host upon package installation.
The Apache security team has since addressed the issue by taking ownership of the cordova-harness-client package. It is worth noting that organizations are advised to create public packages as placeholders to prevent dependency confusion attacks.
“This finding highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open source projects that may not receive regular updates or security patches,” said the researcher from security Ofek Haviv.
“While it may seem tempting to leave them as is, these projects tend to have vulnerabilities that don’t get attention and are likely not going to be fixed.”