What category does Dependency Confusion belong to?

Dependency Confusion belongs to the "Software Development" category in personal knowledge management and productivity.

What are the key topics related to Dependency Confusion?

Key topics related to Dependency Confusion include: security, cybersecurity, supply-chain-attacks, software-development.

What are alternative names for Dependency Confusion?

Dependency Confusion is also known as: Namespace Confusion, Substitution Attack.

Dependency Confusion

A supply chain attack where a malicious public package with the same name as an internal package tricks build systems into installing the attacker's version

Also known as: Namespace Confusion, Substitution Attack

Category: Software Development

Tags: security, cybersecurity, supply-chain-attacks, software-development

Explanation

Dependency confusion (also called namespace confusion or substitution attack) is a supply chain attack where an attacker publishes a malicious package on a public registry using the same name as an organization's private or internal package. Build systems that check public registries before or in addition to private ones pull the attacker's package instead of the legitimate internal one.

The attack works in a straightforward sequence: the attacker identifies the name of an internal package (via leaked lockfiles, job postings, error messages, or open-source build configs), publishes a package with that exact name on a public registry like npm or PyPI, sets the version number very high (e.g., 99.0.0) to win version resolution, and then waits for the organization's build system to resolve the dependency and install the higher-versioned malicious public package.

Alex Birsan published the technique in February 2021 and successfully compromised over 35 major companies including Apple, Microsoft, and PayPal using this method. All were responsible disclosures through bug bounty programs, earning over $130,000 in bounties. The key insight was that most package managers default to preferring public registries, and many organizations don't pin their internal dependencies to private registry sources.

Dependency confusion is particularly effective because internal package names are often guessable or discoverable, build systems default to public registries, version resolution favors higher versions, CI/CD pipelines run with elevated privileges that amplify the impact, and no authentication is required to publish to most public registries.

Mitigation includes using scoped packages, configuring registry pinning, version pinning with lockfiles, publishing placeholder packages for internal names on public registries, and restricting CI/CD network access to only private registries for internal-only packages.

Related Concepts

← Back to all concepts