Teknoku.me – A security researcher named Alex Birsan recently managed to hack into more than 35 technology giants, including Apple, Microsoft, Netflix, PayPal, Shopify, Tesla, Yelp, and Uber.
In acting, Birsan uploaded the malware to the storage location of open source services such as the Python Package Index (PyPI), npm, and RubyGems.
The malware is then distributed to penetrate the company’s internal servers. Birsan’s hacking techniques are sophisticated.
The reason is, the malware that Birsan sends can automatically infiltrate the company’s security system, without requiring direct victim intervention.
Despite successfully infiltrating the company’s security system, Birsan admits that he has no malicious intent. Birsan actually reported the security loophole to all the companies he had managed to break into.
Thanks to this noble action, Birsan managed to collect a “bug bounty” prize of 130,000 USD.
Since last year
The hacking attempt had apparently been planned by Birsan since 2020. At that time, Birsan realized that several manifest files were not publicly available on the PayPal npm package.
PayPal actually makes the npm package to be used and stored privately by the company.
Knowing this, Birsan wondered if he could use a fake package that was renamed. The package is planned to be hosted publicly to infect the server.
To test this hypothesis, Birsan then looks for the company’s internal package files in the GitHub repository manifest file or on the CDN.
Next, Birsan creates its own custom version of the package, but with the same name as the internal package file. He then distributed the package through the npm, PyPI, and RubyGems services.
Birsan also stated that the package did not contain files that could harm the company’s security system.
“This package is intended for security research purposes, and does not contain malicious code,” said Birsan.