I discovered an npm package and the scope of the package is unclaimed on the NPM website. This will give any User to claim that package and be able to Upload a Malicious Code under that unclaimed package. This results in achieving the Remote code execution on developers/users’ machine who depends on the timeswap repository to build it on local env.
##Vulnerable Package Name: @timeswap-labs/timeswap-v1-core
Till now “The Package is not claimed on NPM Registry, but it’s vulnerable to dependency confusion”.
You can read more dependency confusion here: <https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/>
Nothing Just OSINT
Claim the Scope name called “timeswap-labs” By Following the above POC Step 1.
The text was updated successfully, but these errors were encountered:
All reactions