Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm, highlighting security risks in business acquisitions.
Two cybersecurity researchers have walked away with a $50,500 bug bounty after finding a critical vulnerability in a major company’s software supply chain. The exploit targeted a recently acquired company, exposing a flaw that could have widespread ramifications.
The duo, Lupin (Roni Carta) and Snorlhax, have a history of collaboration; recently turned their focus to the often-overlooked area of business acquisitions. They noticed that these integrations frequently present security gaps as newly acquired entities may not always uphold the same rigorous security standards as their parent companies. This insight guided their hunt for a “game-changing” vulnerability.
Their approach began with a detailed examination of the acquired company’s online presence, including its code repositories and package registries. The researchers employed advanced techniques, transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis to identify dependencies and uncover possible flaws. This investigation led them to a DockerHub organization linked to the acquisition.
The real breakthrough occurred after the researchers downloaded and examined a Docker image. Inside, they discovered the complete source code for the company’s backend systems. But the story did not end there, as the researchers unearthed even more sensitive information.
According to Lupin’s technical blog post, the duo discovered that a “.git” folder was still included in the image. Within the folder, they found an authorization token for GitHub Actions (GHS). This token, if exploited, could have given the attacker the capability to manipulate the company’s build pipelines. The token could have allowed them to inject malicious code, tamper with software releases, or even gain access to additional repositories.
Further investigation revealed that the Docker image had removed the .npmrc configuration file, but the researchers recognized that earlier layers of the image could still hold traces of it. They leveraged tools like Dive and Dlayer to explore these layers, ultimately locating a private npm token. This token provided read-and-write access to the target company’s private packages.
The team realized they now had a path to insert malicious code into one of the private packages, which the company’s developers, pipelines, and production systems would then automatically fetch. Since these were private packages, the attack would bypass security scans, enabling them to compromise systems at every level leading to large-scale data theft and data breaches.
Software supply chain vulnerabilities have affected thousands of businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to be exploited, impacting organizations worldwide.
The good news is that the duo documented their findings and demonstrated the vulnerability’s impact to the impacted company’s security team. Their report outlined how attackers could use a poisoned npm package to harvest secrets, infiltrate into internal systems, and compromise CI/CD pipelines. As a result, the company awarded the researchers a $50,500 bug bounty, recognizing the severity of the vulnerability.
This incident shows how attacks can succeed when multiple overlooked flaws come together. In this case, the issue originated from software supply chain gaps and security flaws in a newly acquired company. The team pointed out the importance of securing every part of the build process, from the code itself to the components and external packages involved. It’s an example of how protecting a software development pipeline isn’t simple; it requires careful attention to every detail.
RELATED TOPICS
- Multichain hack: Hacker returns $1m, keeps $150k as bug bounty
- Apple Launches ‘Apple Intelligence’ – $1M Bug Bounty for Security
- Google Launches $250,000 kvmCTF Bug Bounty for KVM Exploits