Dependency Confusion

Posted by

Dependency Confusion is a vulnerability that allows attackers to exploit a weakness in the way that software dependencies are managed. Dependencies are external libraries or modules that a software application relies on to function. Dependency Confusion occurs when an attacker is able to introduce a malicious version of a dependency that the application is already using, and have the application use the malicious version instead of the legitimate one. This can allow the attacker to gain access to sensitive data, or execute arbitrary code on the affected system.

It is a vulnerability that has been found in the way some organizations manage their dependencies. It is used to upload malicious packages to internal package management systems, and it is based on the fact that these systems, such as npm and PyPI, will always prioritize internal packages over external ones.



Look for npmpipgem packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.

NPM example

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.