skip to Main Content

Cybercrime, Mailchimp users can be targeted via Dependency confusion

Mailchimp users can be targeted via Dependency confusion bug. CloudSEK cybersecurity experts: 2 unclaimed packages can be leveraged to inject malicious code (malware-ransomware) inside the platform

Cybercrime actors can target mailchimp users by exploiting a Dependency confusion bug. CloudSEK cybersecurity experts discovered it. Researchers identified two unclaimed packages that can be leveraged to inject malicious code into Mailchimp’s code: “mailchimp-marketing” and “mailchimp_transactional”. Mailchimp API documentation shows that the require functions in the two packages are not configured correctly. Hence, when a user tries to install them, it leads to the attacker’s package getting installed instead. Threat actors can take over the unclaimed packages to target public Mailchimp users’ systems by:

  • Initiating Remote Code Execution;
  • Installing malware;
  • Implementing keyloggers and bitcoin miners;
  • Launching ransomware attacks.
Back To Top