Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today's Sponsor - Project Discovery: https://nux.gg/podcast
Today’s Guest: https://x.com/0xLupin
Resources:
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
git-dump
https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump
Depi
https://www.landh.tech/depi
Weak links of Supply Chain
https://arxiv.org/pdf/2112.10165
Timestamps:
(00:00:00) Introduction
(00:07:13) Overveiw of Supply Chain Flow
(00:15:14) Getting our Scope
(00:23:46) Depi
(00:29:12) Types of attacks and finding the 80/20
(00:45:06) Maintainer attacks
(01:10:40) Regestries, artifactories, and an npm bug
(01:31:51) Grafana NPX Confusion
