Threat actors could potentially launch a software supply chain attack by exploiting a dependency confusion flaw impacting the archived Apache Cordova App Harness project, which was discontinued five years ago, reports The Hacker News.
Legit Security researchers discovered that such a vulnerability could be leveraged to facilitate the uploading of a malicious version of the software using the same name that would then be fetched by NPM and with the sample already downloaded more than 100 times, significant risk is likely.
"This discovery highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open-source projects that may not receive regular updates or security patches. Although it may seem tempting to leave them as is, these projects tend to have vulnerabilities that are not getting attention and not likely to be fixed," said Legit Security researcher Ofek Haviv.
