cybershell@soc-lab:~$
cybershell@soc-lab:~$
cybershell@threat-intel:~$
cybershell@threat-intel:~$
cybershell@honeypot:~$
cybershell@honeypot:~$
Back to Projects

NPM Registry MITM Supply Chain Attack Discovery

August 2024 - Present

Attack Vector

Network (MITM)

Initial Triage

P4-LOW

Escalated To

P2-HIGH

Impact

RCE

Overview

Discovered a critical supply chain vulnerability in a public repository where an insecure NPM registry configuration allowed Man-in-the-Middle attacks, enabling remote code execution through malicious package injection. Successfully demonstrated how attackers could poison the npm supply chain by exploiting HTTP transport instead of HTTPS, potentially compromising developer machines and CI/CD pipelines. Initially triaged as P4-Low but escalated after demonstrating the RCE attack vector.

Key Features & Findings

  • Identified insecure .npmrc configuration using HTTP (registry=http://registry.npmjs.org/) in public GitHub repository
  • Developed proof-of-concept demonstrating Remote Code Execution through package substitution
  • Used mitmproxy to intercept HTTP traffic and inject malicious npm packages with post-install scripts
  • Demonstrated how attackers could leverage DNS spoofing or cache poisoning to redirect npm traffic
  • Showed injection of backdoored dependencies like lodash with arbitrary code execution capabilities
  • Coordinated responsible disclosure through Bugcrowd platform
  • Successfully argued for severity escalation from P4 to P2-high due to demonstrated RCE impact

Attack Simulations & Detections

Note: This project was built in a controlled lab environment for educational and portfolio demonstration purposes.

Insecure NPM Registry Configuration

Pending Assignment

Public .npmrc file configured to use unencrypted HTTP connection to npm registry, allowing MITM attacks to inject malicious packages with post-install scripts achieving Remote Code Execution. Initially triaged as P4-Low (Server Security Misconfiguration) but severity escalated after RCE demonstration.

CRITICAL

Attack Chain

  • Step 1: Attacker identifies HTTP registry configuration in public repository
  • Step 2: Position MITM proxy between victim and npm registry via DNS spoofing or network control
  • Step 3: Intercept npm install requests over unencrypted HTTP
  • Step 4: Serve malicious package tarballs with embedded post-install scripts
  • Step 5: Achieve Remote Code Execution on developer machines or CI/CD systems

Proof of Concept

  • Configured mitmproxy with --map-local to substitute legitimate packages
  • Created malicious lodash package with post-install RCE payload
  • Successfully demonstrated code execution: "node -e \"require('child_process').exec('echo hacked > hacked.txt')\""
  • Proved ability to steal credentials, access internal resources, and establish persistence
  • Documented full exploitation chain for Bugcrowd submission

Impact Assessment

  • Developer machine compromise through poisoned dependencies
  • CI/CD pipeline infiltration affecting production deployments
  • Potential for widespread supply chain attack
  • Credential theft and lateral movement opportunities
  • Long-term persistent access through backdoored packages

Business Impact

  • Successfully demonstrated Remote Code Execution through supply chain attack
  • Prevented potential compromise of developer and infrastructure systems
  • Achieved responsible disclosure and remediation (HTTPS enforcement)
  • Severity escalated from initial P4 triage after proving RCE capability
  • Contributed to supply chain security awareness in open source community