Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new ‘Dependency Confusion’ vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers. The vulnerability works by attackers creating packages utilizing the same names as a company’s internal repositories or components. Microsoft has created a white paper titled “3 Ways to Mitigate Risk When Using Private Package Feeds”” that provides tips on preventing these types of supply-chain attacks.”
Source: https://www.bleepingcomputer.com/news/security/malicious-npm-packages-target-amazon-slack-with-new-dependency-attacks/