Inferensys

Glossary

Dependency Confusion

A software supply chain attack where an adversary uploads a malicious package with a higher version number to a public registry, tricking a build system into downloading it instead of the intended private, internal dependency.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
SUPPLY CHAIN ATTACK VECTOR

What is Dependency Confusion?

A software supply chain attack exploiting how package managers resolve private versus public dependencies, allowing an attacker to inject malicious code into a target's build pipeline by registering a public package with the same name as a private internal dependency.

Dependency confusion is a supply chain attack where a malicious actor uploads a package with a higher version number to a public registry, tricking a build system into downloading it instead of the intended private dependency. The attack exploits the default behavior of package managers that prioritize the highest semantic version when resolving names, effectively hijacking the dependency resolution process.

This attack vector targets organizations that use both private and public registries without proper namespace scoping. When a build system queries for a package name, it may inadvertently pull the attacker's public package rather than the internal one. Mitigation requires registry scoping, namespace prefixing, and dependency pinning to ensure resolution logic explicitly prioritizes private registries for internal package names.

SUPPLY CHAIN ATTACK VECTOR

Key Characteristics of Dependency Confusion

A breakdown of the mechanics, exploitation techniques, and defensive countermeasures associated with dependency confusion attacks targeting software supply chains.

01

The Name Squatting Mechanism

The attack exploits a fundamental flaw in how package managers resolve dependencies. When a build system encounters a package name that exists in both a private registry and a public registry, it often defaults to the higher version number. An attacker uploads a malicious package with the same name as an internal private package but with an inflated semantic version (e.g., 99.0.0), tricking the resolver into pulling the public, poisoned artifact instead of the legitimate internal one.

35+
Companies breached in 2021 researcher demo
02

Exploitation via Install Scripts

The malicious payload is rarely in the library code itself. Attackers embed code in preinstall or postinstall hooks defined in package.json (Node.js) or setup.py (Python). These scripts execute arbitrary commands on the developer's machine or CI/CD runner immediately upon installation. Common objectives include:

  • Exfiltrating environment variables (API keys, tokens)
  • Reading ~/.ssh or cloud credential files
  • Establishing a reverse shell for lateral movement
03

Internal Namespace Reconnaissance

Attackers often perform passive reconnaissance to discover valid internal package names before uploading look-alikes. Techniques include:

  • Scraping public job postings that mention internal tech stacks
  • Analyzing public package.json or requirements.txt files accidentally exposed in open-source repos
  • Monitoring DNS TXT records or CDN traffic for dependency hints
  • Examining error messages from public-facing applications that leak dependency names
04

Defensive: Scope and Namespace Registration

The most effective mitigation is namespace reservation. For npm, this means registering the organization's scope (e.g., @company-name) on the public registry, even if all packages are private. For Python, pre-registering package names on PyPI as placeholder packages prevents squatters from claiming them. This creates a deterministic ownership record that package managers can validate against.

05

Defensive: Explicit Registry Configuration

Build systems must be configured to enforce registry isolation. Tools like .npmrc files or pip.conf should use scoped registry mappings that direct internal package names exclusively to the private registry. A critical configuration is setting a global proxy or mirror that intercepts all requests, ensuring that if a package is not found in the private feed, the build fails instead of falling back to a public registry.

06

Verification via Integrity Hashes

Beyond namespace defense, content trust provides a second layer. Pinning dependencies using Subresource Integrity (SRI) hashes or lockfile digests (package-lock.json, Pipfile.lock) ensures that even if a registry is compromised, the build will reject any artifact whose cryptographic hash does not match the expected value. This requires strict enforcement of lockfile regeneration policies in CI/CD pipelines.

DEPENDENCY CONFUSION

Frequently Asked Questions

Clear, technical answers to the most common questions about dependency confusion attacks, their mechanisms, and mitigation strategies for securing your software supply chain.

A dependency confusion attack is a software supply chain exploit where an attacker uploads a malicious package with the same name as a private, internal dependency to a public package registry, but with a higher version number. Package managers, when resolving dependencies, often prioritize the package with the highest semantic version from the registry with the broadest reach. If a build system is configured to fetch from both a private registry and a public registry like npm, PyPI, or RubyGems, the resolver may inadvertently pull the attacker's public package instead of the intended private one. The malicious code then executes within the victim's CI/CD pipeline or production environment, granting the attacker code execution, data exfiltration, or lateral movement capabilities. This attack vector was popularized by security researcher Alex Birsan in 2021, who successfully infiltrated systems at Apple, Microsoft, Tesla, and dozens of other organizations by exploiting this exact misconfiguration.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.