Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

October 20, 2022
Green Alert
Last Update posted on
February 3, 2024
Keep your web applications secure from vulnerabilities.

A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Author : Vishal Singh
Co-Authors and Contributors: Godson Bastin
Editor : Deepanjli Paulraj

BeVigil, the world’s first security search engine identified several apps leaking Mailchimp API keys. Based on these findings, CloudSEK researchers identified 2 unclaimed packages, in the Mailchimp code, that create dependency confusion. This can be leveraged to inject malicious code into Mailchimp’s code.

With ~800,000 paying customers and ~ 13 million users, Mailchimp is one of the world’s largest marketing automation platforms that enable businesses to engage with customers and audiences.

In this blog, we claim one of the unclaimed packages in Mailchimp’s code to illustrate how dependency confusion can be exploited by threat actors, and why it is a vulnerability that organizations should be vigilant about.

Dependency Confusion in Mailchimp

Dependency confusion is a software supply chain vulnerability that can be exploited to trick a software installer into calling a malicious code file from a public code repository instead of calling a file of the same name from the authorized internal repository.

Mailchimp has 2 unclaimed packages:

Mailchimp API documentation shows that the require() functions in the above packages are not configured correctly. Hence, when a user tries to install them, it leads to the attacker’s package getting installed instead. To illustrate how an attacker can accomplish this, we took over the mailchimp-marketing package.*

How Mailchimp’s Dependency Confusion can be Exploited

We installed the mailchimp-marketing package, from the Mailchimp repository, by following the instructions in the installation guide.

Install the mailchimp_marketing package
Install the mailchimp_marketing package

 

Import mailchimp_marketing
Import mailchimp_marketing

 

To import the authorized package, the following require() function has to be used: require(“@mailchimp/mailchimp_marketing”). However, the API documentation directs users to use the require() function require(“mailchimp-marketing”).

When this function is used, npmjs.org/mailchimp-marketing responds with a 404 status code. This shows that a package named mailchimp-maketing is not available in the repo. Hence, we could publish a library named mailchimp-marketing in npmjs.

We cloned the original Mailchimp repo and published a project named mailchimp-marketing, with a harmless webhook in the code. We downloaded the original mailchimp_marketing package from Github and added the webhook in the ApiClient.js file.

Whenever a user downloads this repo, which we have taken over, the webhook will be triggered and we will receive a notification.

The repo we claimed and the hosted code can be found here.

The downloads and the webhook triggered 500-1000 hits per week from MailChimp users.

Webhook added in the ApiClient.js file
Webhook added in the ApiClient.js file

 

Next, we used NPM CLI to upload this package with mailchimp-marketing as the package name.

So far we have got 72,389 hits (code used by users repeatedly) for a single package, and there another repo available for takeover.

Hits for the package
Hits for the package

 

The Unclaimed Package

The package mailchimp_transactional also returns a 404 not found message at npm, showing that it is also unclaimed. Threat actors claim this package and can host malicious code on it.

Impact

Threat actors can take over the unclaimed packages to target public Mailchimp users’ systems by:

  • Initiating Remote Code Execution
  • Installing malware
  • Implementing keyloggers and bitcoin miners
  • Launching ransomware attacks

Mitigation

Mainchimp should update both the API documentation of the unclaimed packages.

  • require(“mailchimp-marketing”) should be updated to require(“@mailchimp/mailchimp_marketing”)
  • require(“mailchimp_transactional”) should be updated to require(“@mailchimp/mailchimp_transactional”)

References

*Note: Mailchimp was notified about this but did not respond to our disclosures, or rectify the issue.

Author

Predict Cyber threats against your organization

Related Posts

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Ongoing Active Trojanized 3CX Desktop App Potentially Affecting 600K Users Globally

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Vulnerability Intelligence

min read

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Authors
Co-Authors
No items found.

Author : Vishal Singh
Co-Authors and Contributors: Godson Bastin
Editor : Deepanjli Paulraj

BeVigil, the world’s first security search engine identified several apps leaking Mailchimp API keys. Based on these findings, CloudSEK researchers identified 2 unclaimed packages, in the Mailchimp code, that create dependency confusion. This can be leveraged to inject malicious code into Mailchimp’s code.

With ~800,000 paying customers and ~ 13 million users, Mailchimp is one of the world’s largest marketing automation platforms that enable businesses to engage with customers and audiences.

In this blog, we claim one of the unclaimed packages in Mailchimp’s code to illustrate how dependency confusion can be exploited by threat actors, and why it is a vulnerability that organizations should be vigilant about.

Dependency Confusion in Mailchimp

Dependency confusion is a software supply chain vulnerability that can be exploited to trick a software installer into calling a malicious code file from a public code repository instead of calling a file of the same name from the authorized internal repository.

Mailchimp has 2 unclaimed packages:

Mailchimp API documentation shows that the require() functions in the above packages are not configured correctly. Hence, when a user tries to install them, it leads to the attacker’s package getting installed instead. To illustrate how an attacker can accomplish this, we took over the mailchimp-marketing package.*

How Mailchimp’s Dependency Confusion can be Exploited

We installed the mailchimp-marketing package, from the Mailchimp repository, by following the instructions in the installation guide.

Install the mailchimp_marketing package
Install the mailchimp_marketing package

 

Import mailchimp_marketing
Import mailchimp_marketing

 

To import the authorized package, the following require() function has to be used: require(“@mailchimp/mailchimp_marketing”). However, the API documentation directs users to use the require() function require(“mailchimp-marketing”).

When this function is used, npmjs.org/mailchimp-marketing responds with a 404 status code. This shows that a package named mailchimp-maketing is not available in the repo. Hence, we could publish a library named mailchimp-marketing in npmjs.

We cloned the original Mailchimp repo and published a project named mailchimp-marketing, with a harmless webhook in the code. We downloaded the original mailchimp_marketing package from Github and added the webhook in the ApiClient.js file.

Whenever a user downloads this repo, which we have taken over, the webhook will be triggered and we will receive a notification.

The repo we claimed and the hosted code can be found here.

The downloads and the webhook triggered 500-1000 hits per week from MailChimp users.

Webhook added in the ApiClient.js file
Webhook added in the ApiClient.js file

 

Next, we used NPM CLI to upload this package with mailchimp-marketing as the package name.

So far we have got 72,389 hits (code used by users repeatedly) for a single package, and there another repo available for takeover.

Hits for the package
Hits for the package

 

The Unclaimed Package

The package mailchimp_transactional also returns a 404 not found message at npm, showing that it is also unclaimed. Threat actors claim this package and can host malicious code on it.

Impact

Threat actors can take over the unclaimed packages to target public Mailchimp users’ systems by:

  • Initiating Remote Code Execution
  • Installing malware
  • Implementing keyloggers and bitcoin miners
  • Launching ransomware attacks

Mitigation

Mainchimp should update both the API documentation of the unclaimed packages.

  • require(“mailchimp-marketing”) should be updated to require(“@mailchimp/mailchimp_marketing”)
  • require(“mailchimp_transactional”) should be updated to require(“@mailchimp/mailchimp_transactional”)

References

*Note: Mailchimp was notified about this but did not respond to our disclosures, or rectify the issue.