Sonatype has identified new dependency confusion packages published to the npm ecosystem that are malicious in nature. These squatted packages are named after repositories, namespaces or components used by popular companies such as Amazon, Zillow, Lyft, and Slack. Many of these have no disclaimers or code comments in place indicating these are linked to any kind of ethical bug bounty program, or created for security research purposes. As soon as these packages are installed automatically because they share a name with an internal dependency, they exfiltrate the users history file and /etc/shadow, and in some cases spawn a reverse shell.”]