Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository. The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan. Birsan received more than $130,000 in bug bounties and pre-approved financial arrangements with targeted organizations from the experiment. This has spawned legions of copycat bounty hunters looking to reap a payday there were 275+ such packages uploaded to the npm repository within 48 hours of Birsan s research being published.
Source: https://threatpost.com/malicious-code-bombs-amazon-lyft-slack-zillow/164455/