Network Security, Vulnerability Management, Supply chain

Dependency confusion vulnerability impacts archived Apache project

Apache HTTP Server website ( displayed on smartphone

Threat actors could potentially launch a software supply chain attack by exploiting a dependency confusion flaw impacting the archived Apache Cordova App Harness project, which was discontinued five years ago, reports The Hacker News.

Legit Security researchers discovered that such a vulnerability could be leveraged to facilitate the uploading of a malicious version of the software using the same name that would then be fetched by NPM and with the sample already downloaded more than 100 times, significant risk is likely.

"This discovery highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open-source projects that may not receive regular updates or security patches. Although it may seem tempting to leave them as is, these projects tend to have vulnerabilities that are not getting attention and not likely to be fixed," said Legit Security researcher Ofek Haviv.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.