Cybersecurity researchers Roni Carta (Lupin) and Snorlhax have been awarded $50,500 for identifying a significant software supply chain vulnerability affecting a recently acquired company, according to Hackread.
During an evaluation of the firm’s online resources, the researchers discovered a DockerHub organization containing a Docker image that exposed the company’s backend source code and a .git folder. The GitHub Actions authorization token found within could have been exploited to compromise build pipelines, introduce malicious code, and gain unauthorized access to repositories, according to a blog post by Lupin.
Despite the removal of a .nprmc configuration file, further analysis using Dive and Dlayer tools uncovered a private npm token, which could provide access to private packages, raising concerns about the risk of covert exploitation.
The discovery highlights the importance of stronger security protocols throughout the software development lifecycle. Researchers emphasized the need for enhanced security measures to prevent similar supply chain vulnerabilities in the future.
Get the latest supply chain report news at The Supply Chain Report. Learn more about international trade with tools from ADAMftd.com.
#CybersecurityNews #SupplyChainRisk #DataProtection #SoftwareSecurity #ThreatDetection
