A duo of cybersecurity researchers uncovered a critical vulnerability in a software supply chain, landing them an extraordinary $50,500 bug bounty.
The exploit, described as an “Exceptional Vulnerability,” not only exposed systemic flaws in software supply chain security but also demonstrated just how far-reaching the impact of overlooked weak points can be.
The researchers, who go by the pseudonyms “Snorlhax” and a collaborator, shared their meticulous, multi-pronged approach in a detailed disclosure.
.png
)
The two first joined forces years ago out of a competitive camaraderie but soon realized that collaboration could lead to even bigger wins.
Together, they identified and reported vulnerabilities ranging across IDORs, SQL Injection, XSS, and more.
However, their ultimate goal remained elusive for years: to discover a world-class vulnerability capable of earning a bounty well beyond standard payouts.
The opportunity finally came when they zeroed in on the software supply chain of a newly acquired subsidiary of a major company.
Their target, Inadequate integration practices within the subsidiary, a common weak point in mergers and acquisitions.
Exploiting the Software Supply Chain
Their hunt began by analyzing public information about the company’s acquisitions and carefully mapping out the subsidiary’s software ecosystem.
Using advanced techniques, including analyzing JavaScript files and Docker images, they identified vulnerabilities in the subsidiary’s supply chain—a critical area encompassing source code, build processes, and deployment pipelines.
The breakthrough came when they discovered an oversight in a Docker image hosted on DockerHub. Inside the container, they found proprietary backend source code.
Digging deeper, they realized the container still contained a .git folder, complete with a misconfigured GitHub Actions token.
This token, which was left behind during the container’s build process, granted access to private GitHub repositories associated with the target company.
Their discovery didn’t end there. By extracting additional layers of the Docker image, they recovered an improperly removed .npmrc file containing a private npm token.
This token allowed the duo to tamper with private npm packages, effectively offering a way to inject malicious code into the development pipelines, staging environments, and even production servers.
The attack vector could have compromised everything from developer machines to the company’s CI/CD pipelines and live applications.
The Impact and Response
The duo meticulously documented their findings, highlighting how attackers could use the compromised token to insert backdoors into npm packages relied on throughout the organization.
Once the package was fetched in development or production environments, attackers could exfiltrate sensitive data or escalate their access.
The company’s security team classified the vulnerability as a “worst-case scenario” due to its potential to disrupt the entire software development lifecycle.
They promptly mitigated the flaws and rewarded the researchers with an off-the-charts bounty of $50,500.
This case underscores a critical reality: the software supply chain, especially in newly acquired subsidiaries, remains a high-value target for attackers.
Code Snippet from Their Discovery
Here’s an example of the .git/config file they used to retrieve the sensitive GitHub Actions token:
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/Acquisition/backend
fetch = +refs/heads/*:refs/remotes/origin/*
[http "https://github.com/"]
extraheader = AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46TG9sWW91V2FudGVkVG9TZWVUaGVUb2tlblJpZ2h0Pw==Similarly, by exploring earlier Docker layers, they discovered the missing .npmrc file containing:
//registry.npmjs.org/:_authToken=<PRIVATE_NPM_TOKEN>The researchers emphasized the importance of securing every layer of the supply chain, from source code to deployment artifacts, to prevent such catastrophic vulnerabilities.
The successful exploit also serves as a testament to the power of collaboration and innovative thinking in ethical hacking.
By targeting overlooked areas like Docker layers, hidden tokens, and subsidiary integrations, the researchers demonstrated that the biggest vulnerabilities often lie where organizations least expect them.
For enterprises, this serves as a wake-up call: securing software means securing not just the code but the entire process, from builds to deployments.
For the researchers, it was a career milestone—a story of persistence, ingenuity, and the payoff of finding that one “Exceptional Vulnerability.”
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
