Dependency confusion has emerged as a serious cybersecurity threat, where packages used in an organization’s code unintentionally come from external sources sharing the same name. Recent research indicates that 41% to 49% of organizations are at risk, with a striking 73% of their assets vulnerable when exposed to dependency confusion attacks. This risk spans across sectors and organizations of various sizes. Even applications with over 1 billion users are using vulnerable dependencies.
Malicious actors employ several tactics in dependency confusion attacks. Namespacing involves uploading malicious software to a public registry with a name similar to a trusted, internal library, tricking systems into fetching the wrong code. DNS spoofing directs systems to pull dependencies from malicious repositories while appearing as legitimate internal URLs. Scripting manipulates build/install scripts or CI/CD pipelines to make systems download malicious dependencies.
To defend against these attacks, organizations must establish safeguards, including setting package manager policies to prioritize private packages over public ones, ensuring the inclusion of an .npmrc file to specify package sources when using tools like NPM, reserving package names in public registries to thwart potential hijacking, and consistently utilizing organization scopes for internal packages, including registration in public repositories, to mitigate the risk of dependency confusion attacks.
Public registration of package names is crucial for preventing potential hijacking and avoiding confusion. However, not all package registries support name reservations, so organizations should select one that does. Dependency confusion attacks pose a significant and immediate cybersecurity threat to organizations, emphasizing the need for good preventive measures and adherence to cybersecurity best practices.