Dependency Confusion Vulnerability in Sifnode Due to Unclaimed npm Packages.

## Summary: Hello, I've found a Dependency Confusion vulnerability in the sifnode project. The vulnerability allows me to claim previously unclaimed npm packages that are being used by the sifnode project, and serve malicious content in them which would allow me to gain remote code execution on anyone who installs the project. ## Steps To Reproduce: 1. Create an account on npmjs.org and publish two malicious packages with names `sifchain-monorepo` and `testnet-contracts`. 2. Wait and watch as your malware is unknowingly distributed among thousands of users. ## Supporting Material/References: I claimed the package `sifchain-monorepo` a day ago and since then it has been downloaded over 300 times. {F1292543} Note that I did not make the package malicious as the scope only specified testing to be done in the source code, and putting malware inside the package would have affected hundreds of users, and I did not have the authorization to do so. I have claimed the package `testnet-contracts` an hour ago too, but since it hasn't been over a day, I am not able to view the statistics. {F1292575} ## Mitigation Once you have reviewed this report, I can unclaim the two packages and you can upload your own ones there. You can also ask developers to configure their machines such that it requests internal packages from internal or cloud based servers, instead of from npmjs.org which might contain malicious ones. ## References These are two excellent blog posts explaining the issue in detail: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 https://incolumitas.com/2016/06/08/typosquatting-package-managers/ ## Impact Remote Code Execution on potentially thousands of users - including developers inside the organization. Regards, - quas4r