Threat actors could potentially launch a software supply chain attack by exploiting a dependency confusion flaw impacting the archived Apache Cordova App Harness project, which was discontinued five years ago, reports The Hacker News. Legit Security researchers discovered that such a vulnerability could be leveraged to facilitate the uploading of a malicious version of the software using the same name that would then be fetched by NPM and with the sample already downloaded more than 100 times, significant risk is likely.
Source: SC Magazine