Cybersecurity researchers Roni Carta, also known as Lupin, and Snorlhax have been awarded $50,500 after discovering a critical software supply chain vulnerability impacting a recently acquired organization, Hackread reports.
Evaluation of the firm's online resources led to the identification of a DockerHub organization containing a Docker image that not only contained the company's backend systems source code but also a .git folder with a GitHub Actions authorization token, which could be leveraged to compromise build pipelines, enable malicious code injections, and further repository breaches, according to a blog post from Lupin. Despite the removal of the .nprmc configuration file from the Docker image, utilization of the Dive and Dlayer tools allowed the researchers to determine a private npm token that allowed access to private packages, which could be stealthily compromised. Such findings should prompt more stringent security measures at every step of the software development pipeline, said researchers.
