Malicious actors are exploiting a new 'Dependency Confusion' vulnerability to target Amazon, Zillow, Lyft, and Slack NodeJS apps and steal Linux/Unix password files and open reverse shells back to the attackers. 

Last month, BleepingComputer reported that security researcher Alex Birsan earned bug bounties from 35 companies by utilizing a new flaw in open-source development tools.

This flaw works by attackers creating packages utilizing the same names as a company's internal repositories or components. When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company's internal packages when building the application.