🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Compromise Software Dependencies and Development Tools

Malicious npm packages (e.g. compromised versions of common dependencies) are published and pulled into developer and CI environments, providing the attacker an initial foothold via the software supply chain.

Metadata

  • Severity: critical
  • Slug: compromise-software-dependencies-and-development-tools

MITRE

  • T1555.006: Credentials from Password Stores: Cloud Secrets Management Stores
  • T1078.004: Valid Accounts: Cloud Accounts
  • T1059.007: Command and Scripting Interpreter: JavaScript
  • T1567.001: Exfiltration Over Web Service: Exfiltration to Code Repository
  • T1195.001: Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1552.001: Unsecured Credentials: Credentials In Files

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.