Vulnerability Intelligence
mins read

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

October 20, 2022
Green Alert
Last Update posted on
February 3, 2024
Keep your web applications secure from vulnerabilities.

A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Author : Vishal Singh
Co-Authors and Contributors: Godson Bastin
Editor : Deepanjli Paulraj

BeVigil, the world’s first security search engine identified several apps leaking Mailchimp API keys. Based on these findings, CloudSEK researchers identified 2 unclaimed packages, in the Mailchimp code, that create dependency confusion. This can be leveraged to inject malicious code into Mailchimp’s code.

With ~800,000 paying customers and ~ 13 million users, Mailchimp is one of the world’s largest marketing automation platforms that enable businesses to engage with customers and audiences.

In this blog, we claim one of the unclaimed packages in Mailchimp’s code to illustrate how dependency confusion can be exploited by threat actors, and why it is a vulnerability that organizations should be vigilant about.

Dependency Confusion in Mailchimp

Dependency confusion is a software supply chain vulnerability that can be exploited to trick a software installer into calling a malicious code file from a public code repository instead of calling a file of the same name from the authorized internal repository.

Mailchimp has 2 unclaimed packages:

Mailchimp API documentation shows that the require() functions in the above packages are not configured correctly. Hence, when a user tries to install them, it leads to the attacker’s package getting installed instead. To illustrate how an attacker can accomplish this, we took over the mailchimp-marketing package.*

How Mailchimp’s Dependency Confusion can be Exploited

We installed the mailchimp-marketing package, from the Mailchimp repository, by following the instructions in the installation guide.

Install the mailchimp_marketing package
Install the mailchimp_marketing package

 

Import mailchimp_marketing
Import mailchimp_marketing

 

To import the authorized package, the following require() function has to be used: require(“@mailchimp/mailchimp_marketing”). However, the API documentation directs users to use the require() function require(“mailchimp-marketing”).

When this function is used, npmjs.org/mailchimp-marketing responds with a 404 status code. This shows that a package named mailchimp-maketing is not available in the repo. Hence, we could publish a library named mailchimp-marketing in npmjs.

We cloned the original Mailchimp repo and published a project named mailchimp-marketing, with a harmless webhook in the code. We downloaded the original mailchimp_marketing package from Github and added the webhook in the ApiClient.js file.

Whenever a user downloads this repo, which we have taken over, the webhook will be triggered and we will receive a notification.

The repo we claimed and the hosted code can be found here.

The downloads and the webhook triggered 500-1000 hits per week from MailChimp users.

Webhook added in the ApiClient.js file
Webhook added in the ApiClient.js file

 

Next, we used NPM CLI to upload this package with mailchimp-marketing as the package name.

So far we have got 72,389 hits (code used by users repeatedly) for a single package, and there another repo available for takeover.

Hits for the package
Hits for the package

 

The Unclaimed Package

The package mailchimp_transactional also returns a 404 not found message at npm, showing that it is also unclaimed. Threat actors claim this package and can host malicious code on it.

Impact

Threat actors can take over the unclaimed packages to target public Mailchimp users’ systems by:

  • Initiating Remote Code Execution
  • Installing malware
  • Implementing keyloggers and bitcoin miners
  • Launching ransomware attacks

Mitigation

Mainchimp should update both the API documentation of the unclaimed packages.

  • require(“mailchimp-marketing”) should be updated to require(“@mailchimp/mailchimp_marketing”)
  • require(“mailchimp_transactional”) should be updated to require(“@mailchimp/mailchimp_transactional”)

References

*Note: Mailchimp was notified about this but did not respond to our disclosures, or rectify the issue.

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Vulnerability Intelligence
June 16, 2023

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Blog Image
Adversary Intelligence
April 3, 2023

Ongoing Active Trojanized 3CX Desktop App Potentially Affecting 600K Users Globally

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Vulnerability Intelligence

min read

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Authors
Co-Authors
No items found.

Author : Vishal Singh
Co-Authors and Contributors: Godson Bastin
Editor : Deepanjli Paulraj

BeVigil, the world’s first security search engine identified several apps leaking Mailchimp API keys. Based on these findings, CloudSEK researchers identified 2 unclaimed packages, in the Mailchimp code, that create dependency confusion. This can be leveraged to inject malicious code into Mailchimp’s code.

With ~800,000 paying customers and ~ 13 million users, Mailchimp is one of the world’s largest marketing automation platforms that enable businesses to engage with customers and audiences.

In this blog, we claim one of the unclaimed packages in Mailchimp’s code to illustrate how dependency confusion can be exploited by threat actors, and why it is a vulnerability that organizations should be vigilant about.

Dependency Confusion in Mailchimp

Dependency confusion is a software supply chain vulnerability that can be exploited to trick a software installer into calling a malicious code file from a public code repository instead of calling a file of the same name from the authorized internal repository.

Mailchimp has 2 unclaimed packages:

Mailchimp API documentation shows that the require() functions in the above packages are not configured correctly. Hence, when a user tries to install them, it leads to the attacker’s package getting installed instead. To illustrate how an attacker can accomplish this, we took over the mailchimp-marketing package.*

How Mailchimp’s Dependency Confusion can be Exploited

We installed the mailchimp-marketing package, from the Mailchimp repository, by following the instructions in the installation guide.

Install the mailchimp_marketing package
Install the mailchimp_marketing package

 

Import mailchimp_marketing
Import mailchimp_marketing

 

To import the authorized package, the following require() function has to be used: require(“@mailchimp/mailchimp_marketing”). However, the API documentation directs users to use the require() function require(“mailchimp-marketing”).

When this function is used, npmjs.org/mailchimp-marketing responds with a 404 status code. This shows that a package named mailchimp-maketing is not available in the repo. Hence, we could publish a library named mailchimp-marketing in npmjs.

We cloned the original Mailchimp repo and published a project named mailchimp-marketing, with a harmless webhook in the code. We downloaded the original mailchimp_marketing package from Github and added the webhook in the ApiClient.js file.

Whenever a user downloads this repo, which we have taken over, the webhook will be triggered and we will receive a notification.

The repo we claimed and the hosted code can be found here.

The downloads and the webhook triggered 500-1000 hits per week from MailChimp users.

Webhook added in the ApiClient.js file
Webhook added in the ApiClient.js file

 

Next, we used NPM CLI to upload this package with mailchimp-marketing as the package name.

So far we have got 72,389 hits (code used by users repeatedly) for a single package, and there another repo available for takeover.

Hits for the package
Hits for the package

 

The Unclaimed Package

The package mailchimp_transactional also returns a 404 not found message at npm, showing that it is also unclaimed. Threat actors claim this package and can host malicious code on it.

Impact

Threat actors can take over the unclaimed packages to target public Mailchimp users’ systems by:

  • Initiating Remote Code Execution
  • Installing malware
  • Implementing keyloggers and bitcoin miners
  • Launching ransomware attacks

Mitigation

Mainchimp should update both the API documentation of the unclaimed packages.

  • require(“mailchimp-marketing”) should be updated to require(“@mailchimp/mailchimp_marketing”)
  • require(“mailchimp_transactional”) should be updated to require(“@mailchimp/mailchimp_transactional”)

References

*Note: Mailchimp was notified about this but did not respond to our disclosures, or rectify the issue.