Dependency confusion
Definition
An attack technique in which an attacker publishes a public package with the same name as an organisation's internal private package at a higher version number. Package managers that check public registries before private ones will download the attacker's version, executing malicious code in the victim's build environment.
Related terms
- NIST SP 800-161r1
- The US National Institute of Standards and Technology publication 'Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations' (Revision 1, 2022)....
- Software Bill of Materials (SBOM)
- A structured, machine-readable inventory of the software components in a product or system. Captures component names, versions, licences, and dependency relationships. Standard...
- Software Composition Analysis (SCA)
- A category of security tooling that scans source code, build manifests, and container images to identify open-source and third-party components, match them...
- Transitive dependency
- A software library that an application does not import directly but is pulled in automatically because a direct dependency requires it. Transitive...
- Vendor due diligence
- The pre-procurement and ongoing process of assessing a supplier's security practices before and during a commercial relationship. In supply-chain risk management, due...
Explained in
- Supply-Chain Risk and Software DependenciesAn attack technique in which an attacker publishes a public package with the same name as an organisation's internal private package at a higher version number...