Dependency Confusion

[ranj3et]

Hi Team,

I hope you are doing well,

I found a critical vulnerability on your website:- https://paper.navcoin.org

Summary:-

I've found a Dependency Confusion vulnerability in the [ https://paper.navcoin.org ] website. The vulnerability allows me to claim private npm packages that are being used on the website, and serve malicious content on the server which would allow me to gain remote code execution on anyone who installs the package.

Vulnerable Package:-

https://paper.navcoin.org/package.json

Name : "NavCoinPaperWallet"

Steps To Reproduce:-

1. Create an account on npmjs.org and publish one malicious package with the name "NavCoinPaperWallet" .

2. Wait and watch as your malware is unknowingly distributed among the users.

https://www.npmjs.com/package/navcoinpaperwallet

##When you run or install npm package, it may lead to remote code execution (RCE).
I am capturing logs, but since npm deletes malicious npm packages after
24 hours, it might be possible that the IP showing I am here is wrong
and not from your server. However, for proof of concept (POC), I have
attached the malicious package above that I created.

Impact:-

Remote Code Execution on the organization systems.

References:-

These are two excellent blog posts explaining the issue in detail:

• https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
• https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/

Please let me know if you have any questions.

Regards,
Ranjeet