Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://x.com/0xLupin Resources: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 git-dump https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump Depi https://www.landh.tech/depi Weak links of Supply Chain https://arxiv.org/pdf/2112.10165 Timestamps: (00:00:00) Introduction (00:07:13) Overveiw of Supply Chain Flow (00:15:14) Getting our Scope (00:23:46) Depi (00:29:12) Types of attacks and finding the 80/20 (00:45:06) Maintainer attacks (01:10:40) Regestries, artifactories, and an npm bug (01:31:51) Grafana NPX Confusion