Researchers Hacked into Software Supply Chain and Earned $50K Bounty

Researchers found a significant software supply chain vulnerability, which resulted in an outstanding $50,500 bounty from a major corporation’s bug bounty program.

The duo’s success highlights the growing importance of securing the software supply chain and the risks posed by overlooked assets during corporate acquisitions.

The Target: A Newly Acquired Subsidiary

Two ethical hackers, known by their pseudonyms Snorlhax and their collaborator, began by identifying a subsidiary recently acquired by their target company. 

They hypothesized that such acquisitions often lag in adhering to the parent company’s rigorous security standards. 

By focusing on this subsidiary, they aimed to uncover vulnerabilities that might have been overlooked during integration.

Their reconnaissance involved scouring corporate announcements, LinkedIn profiles, and technical artifacts such as JavaScript files. 

Using tools like Abstract Syntax Trees (ASTs) via the SWC (Speedy Web Compiler) library, they analyzed JavaScript dependencies to identify references to private package namespaces. 

This led them to an npm organization tied to the subsidiary, which hinted at private package usage.

After failing to find direct leaks on GitHub, the researchers turned their attention to DockerHub. They discovered a Docker image associated with one of the subsidiary’s main products. 

Upon downloading and inspecting the image, they struck gold: it contained proprietary backend source code and an exposed .git folder.

Inside the .git/config file, they found an encoded GitHub Actions token (GHS).

This token, typically used for CI/CD workflows, was inadvertently left accessible in the Docker image. Such tokens can enable attackers to manipulate source code repositories or CI/CD pipelines if exploited before expiration.

Exploiting Docker Layers

Researchers noticed that the Dockerfile used to build the image included an .npmrc file containing an npm token but removed it in a later build step. 

Leveraging tools like dive and dlayer, which allow inspection of Docker image layers, they retrieved earlier layers where the .npmrc file and its token were still present.

This npm token granted read and write access to private packages under the subsidiary’s namespace. 

Researchers realized they could inject malicious code into these packages, which would then be automatically fetched by developers’ environments, CI/CD pipelines, or even production servers.

The Potential Impact

• Malicious packages could harvest credentials or pivot into other systems.
• Compromised pipelines could expose sensitive environment variables or escalate privileges.
• Automatic deployment processes could propagate the malicious code into live environments.

This chain reaction demonstrated how a single oversight in handling build artifacts could compromise an entire software lifecycle.

The company classified this vulnerability as a worst-case scenario due to its potential impact across development-to-production environments. 

The $50,500 bounty reflected its severity. For Snorlhax and their collaborator, this discovery marked the culmination of years of honing their skills and validated their unique approach of combining overlooked attack surfaces—acquisitions and supply chains.

For security experts throughout the world, this is both a warning and an inspiration: often the most serious flaws are hidden in unexpected places, such as Docker images or forgotten.git folders.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post Researchers Hacked into Software Supply Chain and Earned $50K Bounty appeared first on Cyber Security News.