A chain of recent events led multiple security firms to believe someone was attempting to hack German companies, possibly as part of a supply chain attack, pointing to the use of several malicious JavaScript packages. The actual cause, however, turned out to be less threatening though, as it was the result of penetration testing by security firm Code White, according to an article in The Record.
Says David Elze, CEO of Code White, of the penetration testing, “We’re doing this to really improve the security resilience level of our clients by utilizing the most recent and most probable attack techniques like dependency confusion in this case for some of them to show the impact, raise awareness and further prepare organizations for actual threat actors.” The company also released a separate statement, saying “We’re trying to mimic realistic threat actors for dedicated clients as part of our Security Intelligence Service and we brought our ‘own’ package manager that supports yarn and npm.”
Despite the explanation, members of other security firms did offer some criticism of Code White’s approach. Shachar Menashe, senior director of security research at JFrog, noted the nature of the penetration testing could have caused problems for the targets, saying “Since the code had absolutely no indications in it (in the source code) or in its metadata (ex. the npm package description) this could have put the company’s threat response team into high alert, wasting the client’s resources on nothing.”
Source:
