I've found a Dependency Confusion vulnerability in the [ https://paper.navcoin.org ] website. The vulnerability allows me to claim private npm packages that are being used on the website, and serve malicious content on the server which would allow me to gain remote code execution on anyone who installs the package.
When you run or install npm package, it may lead to remote code execution (RCE).
I am capturing logs, but since npm deletes malicious npm packages after
24 hours, it might be possible that the IP showing I am here is wrong
and not from your server. However, for proof of concept (POC), I have
attached the malicious package above that I created.
Impact:-
Remote Code Execution on the organization systems.
References:-
These are two excellent blog posts explaining the issue in detail:
Hi Team,
I hope you are doing well,
I found a critical vulnerability on your website:- https://paper.navcoin.org
Summary:-
I've found a Dependency Confusion vulnerability in the [ https://paper.navcoin.org ] website. The vulnerability allows me to claim private npm packages that are being used on the website, and serve malicious content on the server which would allow me to gain remote code execution on anyone who installs the package.
Vulnerable Package:-
https://paper.navcoin.org/package.json
Name : "NavCoinPaperWallet"
Steps To Reproduce:-
https://www.npmjs.com/package/navcoinpaperwallet
When you run or install npm package, it may lead to remote code execution (RCE).
I am capturing logs, but since npm deletes malicious npm packages after 24 hours, it might be possible that the IP showing I am here is wrong and not from your server. However, for proof of concept (POC), I have attached the malicious package above that I created.
Impact:-
Remote Code Execution on the organization systems.
References:-
These are two excellent blog posts explaining the issue in detail:
Please let me know if you have any questions.
Regards, Ranjeet