When an ethical hacker announced he’d successfully breached 35 technology company’s vulnerable software supply chains, including Apple, Microsoft and Netflix, it was no surprise to Sonatype.
Our research team detected over 300 suspicious packages back in 2020, led by Alex Birsan’s research efforts. We added these components to our data, alerted the community, and have been actively protecting customers ever since.
By taking advantage of a novel concept known as ‘dependency confusion’ aka ‘namespace confusion’, Birsan pushed his research packages downstream in an automated fashion to the development environments of multinational technology companies. The method he described is now widely deployed by other actors, with 1444% growth in similar packages in a week since he published his findings.
In this 30 minute webinar, Ax Sharma, Security Researcher and Advocate, Brian Fox, CTO, and Ilkka Turunen, Field CTO, discuss the events that led to the breaches, how this particular method of software supply chain attack is so simple, and yet so effective and what you can do about it to avoid exposure in the future.
Additional topics covered include:
Ethical hacking: why organizations can pay upwards of $100k a breach
How Sonatype detected and protected
Clear steps on how to avoid future attacks