itc-actors-api
v99.0.0
Published
SECURITY RESEARCH — Apple Bug Bounty — Dependency Confusion PoC — Contact: [email protected]
Maintainers
Readme
⚠️ SECURITY RESEARCH — DO NOT USE IN PRODUCTION
This package is a dependency confusion proof-of-concept for the Apple Bug Bounty program.
What is this?
This package was registered as part of authorized security research demonstrating that the name itc-actors-api (used internally by Apple's App Store Connect) was not defensively registered on the public npm registry.
If you see this in your node_modules
Your build system is resolving internal/private packages from the public npm registry. This is a supply chain vulnerability. Your .npmrc should be configured to only resolve internal packages from your private registry.
Contact
- Researcher: Mohd Haji ([email protected])
- Program: Apple Security Bounty
- Reference: Dependency Confusion (Birsan, 2021)
This package does NOT:
- Read files from your system
- Access credentials or environment variables
- Establish persistent access
- Modify system state
- Exfiltrate sensitive data
It performs a single DNS lookup to log that it was installed (hostname only), as proof that the dependency confusion vector is exploitable.
