Dependency Confusion Attack
Network SecurityDefinition
A supply chain attack exploiting package manager resolution priority by publishing a malicious public package with the same name as a private internal dependency, causing build systems to download the attacker's version.
Technical Details
Package managers (npm, pip, RubyGems, NuGet) typically prefer public registry packages over private ones when the same name and a higher version number are used. Attackers discover internal package names through leaked dependency files and upload malicious public packages with high version numbers. Mitigations include using scoped packages, configuring registries to prefer private sources, and SBOM-based dependency pinning.
Practical Usage
Development teams must audit all internal package names against public registries and configure dependency management to pin exact versions from trusted sources. CI/CD pipelines should enforce dependency integrity checking (hash pinning) and reject packages not in an approved SBOM.
Examples
- An attacker discovers an internal package name 'company-utils' in a leaked package.json and publishes a malicious version 99.0.0 to npm.
- A build pipeline pulls attacker-controlled code because pip resolves a higher-versioned public package over the intended private one.
- A security researcher earns a bug bounty by demonstrating dependency confusion against a tech company's internal tooling.