Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature.
These squatted packages are named after repositories, namespaces or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.
The malicious packages include:
- amzn
- zg-rentals
- lyft-dataset-sdk
- serverless-slack-app
As previously reported by Sonatype, Alex Birsan’s dependency confusion research disclosure led to copycat researchers publishing 275+ identical packages to the npm repo within 48 hours, in hopes of scoring bug bounties. The number then jumped to over 550 within the next few days.
