What is dependency confusion

Dependency confusion is a newly discovered logic flaw in the default way software development tools pull third-party packages from public and private repositories. Attackers can take advantage of this issue to trick a development environment to pull a malicious package the attackers published in a community repository instead of a custom package hosted in a private repository.

The complexities of the software supply chain

According to a 2020 study from Synopsys, over 99% of commercial applications used by enterprises contain open-source code and such code makes up at least 70% of their code base overall. This is thanks to the large ecosystem of third-party components and packages available for all programming languages. Java has the Central Repository, JavaScript has npm, Python has PyPI (Python Package Index), Ruby has RubyGems and so on. All of these are community maintained public repositories that development tools pull packages from when they are defined as dependencies.

The complex relationships among packages mean that pulling one component as a dependency into an application can result in importing tens or hundreds of others. Security researchers have long warned that this can be exploited by attackers, especially since the repositories are not well policed.