Merge pull request #2083 from HackTricks-wiki/update_Frequently_Asked_Questions_About_the_Axios_npm_Sup_20260402_020436

Frequently Asked Questions About the Axios npm Supply Chain ...

Author: carlospolop

src/pentesting-web/dependency-confusion.md

@@ -28,6 +28,62 @@ If your project references a library that isn’t available in the private regis
 
 Developers frequently leave versions unpinned or allow wide ranges. When a resolver is configured with both internal and public indexes, it may select the newest version regardless of source. For internal names like `requests-company`, if the internal index has `1.0.1` but an attacker publishes `1.0.2` to the public registry and your resolver considers both, the public package may win.
 
+### Related pattern: compromise of a legitimate package release
+
+Dependency confusion is not the only way to get install-time execution. If an attacker compromises the maintainer account or publishing token of a legitimate package, they can publish a malicious version of the real package and obtain code execution on every machine that installs it.
+
+Common pattern in the npm ecosystem:
+- The attacker modifies only `package.json` and adds a new dependency.
+- The new dependency is **never imported** by the main library, so source review of the application code may look clean.
+- The dependency contains a `preinstall`/`install`/`postinstall` hook that runs automatically during `npm install`, `npm ci`, Yarn, pnpm, or CI builds.
+- The hook fetches or drops the real payload, often choosing per-OS implants for macOS, Windows, and Linux.
+
+This is a useful red-team and incident-response mental model because **importing the victim library is not required**. The execution path is installation-time, not runtime.
+
+Minimal malicious pattern:
+
+`package.json` of the compromised package:
+```json
+{
+  "name": "popular-lib",
+  "version": "1.2.4",
+  "dependencies": {
+    "helper-lib": "^4.2.1"
+  }
+}
+```
+
+`package.json` of the injected dependency:
+```json
+{
+  "name": "helper-lib",
+  "version": "4.2.1",
+  "scripts": {
+    "postinstall": "node setup.js"
+  }
+}
+```
+
+Practical notes:
+- CI/CD runners are especially valuable targets because the hook runs before tests and often has access to cloud credentials, package tokens, signing keys, and deployment secrets.
+- If you are trying to prove impact in an authorized exercise, `postinstall` is usually enough to demonstrate install-time code execution without modifying application logic.
+- Defenders should remember that `npm ci` still runs lifecycle scripts unless `--ignore-scripts` is set.
+
+### Obfuscated Node.js droppers and manifest laundering
+
+Malicious install hooks often try to survive quick review by:
+- Hiding C2 strings or commands behind layered transforms such as reversed Base64, XOR, or split strings.
+- Dynamically loading Node modules (`fs`, `os`, `child_process`, `execSync`) only at runtime to reduce obvious static indicators.
+- Deleting the dropper after execution and restoring a benign-looking manifest.
+
+One anti-forensic trick is **manifest laundering**:
+1. Run the malicious hook.
+2. Delete the malicious `setup.js` or equivalent.
+3. Delete the malicious `package.json`.
+4. Rename a benign stub such as `package.md` back to `package.json`.
+
+After infection, the installed dependency directory may look clean unless investigators review install logs, lockfile changes, registry metadata, package tarballs, file timelines, or known-good hashes.
+
 
 ## AWS Fix
 
@@ -113,6 +169,7 @@ Operational tips:
 - Only publish internal packages within the `@company` scope.
 - For third-party packages, allow public registry via your private proxy/mirror, not directly from clients.
 - Consider enabling npm package provenance for public packages you publish to increase traceability (doesn’t by itself prevent confusion).
+- For high-risk environments, install with scripts disabled first (`npm ci --ignore-scripts`) and only allow scripts in controlled build stages.
 
 ### Python (pip / Poetry)
 
@@ -276,13 +333,59 @@ bundle config set disable_multisource true
 - Name reservation: pre-register your internal names/namespaces in public registries where supported.
 - Package provenance / attestations: when publishing public packages, enable provenance/attestations to make tampering more detectable downstream.
 
+### Detecting unauthorized publishes in trusted-publisher pipelines
+
+If a package normally uses npm trusted publishing with GitHub Actions or GitLab OIDC, a release pushed with a stolen classic token often looks different from legitimate releases.
+
+Useful heuristics:
+- The package version exists in the registry but lacks the expected trusted-publisher / provenance metadata.
+- There is no matching git tag or release commit for the published version.
+- The package tarball adds a dependency whose only purpose is a lifecycle hook.
+- The newly added dependency is never referenced by the main library source.
+- The lockfile or install logs show `preinstall` / `postinstall` execution shortly before network egress or secret access from a runner.
+
+This is not limited to dependency confusion: it also catches compromise of maintainer credentials or leaked automation tokens.
+
+### Cooldown / age-gate controls for fresh releases
+
+Fresh malicious versions are often detected and removed quickly. Delaying adoption of newly published versions can block a large class of opportunistic supply-chain compromises:
+
+```yaml
+# pnpm-workspace.yaml
+minimumReleaseAge: 10080 # 7 days in minutes
+```
+
+```yaml
+# .yarnrc.yml
+npmMinimalAgeGate: "7d"
+```
+
+```toml
+# bunfig.toml
+[install]
+minimumReleaseAge = 604800 # 7 days in seconds
+```
+
+```ini
+# .npmrc
+min-release-age=7
+```
+
+These controls do **not** replace lockfiles or trusted publishing, but they reduce exposure to packages published minutes or hours earlier.
+
 
 ## References
 
 - [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
 - [https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d](https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d)
 - [https://learn.microsoft.com/en-us/nuget/consume-packages/package-source-mapping](https://learn.microsoft.com/en-us/nuget/consume-packages/package-source-mapping)
 - [https://yarnpkg.com/configuration/yarnrc/](https://yarnpkg.com/configuration/yarnrc/)
+- [https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069](https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069)
+- [https://docs.npmjs.com/trusted-publishers/](https://docs.npmjs.com/trusted-publishers/)
+- [https://docs.npmjs.com/generating-provenance-statements](https://docs.npmjs.com/generating-provenance-statements)
+- [https://docs.npmjs.com/cli/v11/using-npm/changelog/](https://docs.npmjs.com/cli/v11/using-npm/changelog/)
+- [https://pnpm.io/settings](https://pnpm.io/settings)
+- [https://bun.sh/docs/runtime/bunfig](https://bun.sh/docs/runtime/bunfig)
 
 
 {{#include ../banners/hacktricks-training.md}}