In a world where open source cannot be trusted

What is dependency confusion?

Dependency confusion occurs when a malicious package with the same name as a private package is published in a public repository, tricking systems into using the malicious version.

How dependency confusion is used

Dependency Confusion Attack Methods

Package name spoofing

Attackers may mimic the names of internal packages used by an organization. By uploading a malicious package to a public repository with the same name as an internal package, they can trick developers into accidentally using the malicious version.

Version confusion

Higher version numbers can be used by attackers to trick dependency resolution systems into using the malicious package.

If the malicious package has a higher version number than the legitimate private package, package managers might prefer the malicious package over the private one.

Namespace collision

The attacker creates a malicious package with the same name as a private one but under a different namespace. Since some package managers prioritize public registries over private ones, the attacker's package may be installed instead of the private one.

How is a Dependency confusion attack performed?

Dependency confusion is a rising sneaky cybersecurity threat in which attackers upload malicious code into trusted software supply chains.

Dependency confusion is a supply chain attack that has gained notoriety in recent years. It was first discovered and reported by security researcher Alex Birsan in 2021, who was able to successfully execute the attack against several high-profile companies such as Apple and Microsoft, earning substantial bounty rewards in the process.

To perform a dependency confusion attack, attackers upload malicious code packages with the same name as private ones to public package registries. Normally a version of the private package is installed from the company’s private registry, but package managers detect a newer version in the public registries, they can be tricked into installing those instead. Once a developer or a CI/CD system downloads and installs the attacker’s package, the malicious code is executed on their system.

By exploiting weaknesses in software supply chains, hackers can upload malicious code into trusted systems and gain access to sensitive data or take control of systems. The threat of dependency confusion highlights the importance of maintaining strong cybersecurity practices to protect against emerging cyber threats.

Using tools like npm for JavaScript packages or pip for Python packages makes it extremely simple to install third party open source software. What many forget to reflect on is the level of trust we put in these tools. They are pre-configured to use the public registries (repositories/feeds) where anyone can publish a package. Essentially maintaining open source security is assumed to be taken care of by each developer. An assumption that history shows is likely to expose your applications to high risk. Not all maintainers can be trusted and nor can the public registries guarantee that all packages are free from malware or other malicious code.

While Alex Birsan’s discovery brought attention to the issue, the threat of dependency confusion continues to be a challenge to this date for many organizations. Since then the attack surface expands and the sophistication of attacks increases.

The Far-Reaching Consequences of Dependency Confusion Attacks

Dependency confusion attacks pose a significant cybersecurity threat, impacting companies, customers, end-users, and the software development ecosystem. Below we’ll explore the far-reaching consequences of these attacks and their lasting effects.

Data Breaches and Service Disruptions

Dependency confusion attacks can lead to severe data breaches, exposing sensitive information and causing financial losses, reputational damage, and potential regulatory penalties. Additionally, these attacks can disrupt services, resulting in downtime, lost customers, and operational inefficiencies.

Customer and End-User Risks

Customers and end-users also face risks from these attacks if they use software with malicious open source dependencies. Risks include identity theft, stolen credentials and worst case fully compromised systems.

Erosion of Trust in Software Development

Increasing dependency confusion attacks can erode trust in the software development ecosystem. This climate of mistrust may lead to reduced adoption of new software, hindered innovation, and increased development costs. Balancing security vs velocity, but speed of development should never come at the cost of security.

Conclusion

The far-reaching consequences of dependency confusion attacks emphasize the need for robust security measures. By understanding the implications and working with smart tools to combat these threats, we can maintain a secure software development landscape.

Manage Open Source Threats. Intelligently.

How to Avoid Dependency Confusion attacks

Bytesafe Platform

Bytesafe keeps track of internal packages

Bytesafe is a security platform that offers robust protection for your software supply chain against various threats, including dependency confusion.

With Bytesafe’s Internal Packages feature, you can ensure that your internal packages are never replaced by external ones, even if they have the same name and newer versions. This eliminates the need for additional configuration and ensures that your internal packages remain secure and reliable.

This feature is designed to provide you with a secure solution by default, as any package uploaded to a registry flagged as internal will never be downloaded from an external source.

The Bytesafe internal packages feature provides a simple to use, yet powerful solution for securing your software supply chain against dependency confusion attacks!

Talk to our Experts

More from Bytesafe

Dependency confusion and related articles in the blog

Bytesafe Resources

Secure by default solution

Learn how to use a secure by default solution to protect your internal packages from Dependency Confusion attacks.
Bytesafe Resources

Avoiding Dependency Confusion

Internal packages should always remain internal. Here's how developers and CI/CD systems avoid Dependency Confusion attacks.
Bytesafe Resources

What's a Dependency Firewall?

Read more on how to use company-wide protection using a Dependency Firewall that blocks threats and non-compliant open source dependencies.