Select Page

Microsoft published a white paper on Tuesday 10th Feb saying “Dependency Confusion” attacks are possible against application packages of privately and publicly held components in a hybrid configuration.


Why might this be a problem?

Software is developed using a wide range of packages assembled to create applications. Packages are sourced in house, purchased from third party suppliers, and downloaded free from public sources. When software components from multiple sources are used new interactions arise which can result in malware being introduced into hybrid configurations. Execution of malware payloads incorporated into private packages is trivial.


What is a Dependency Confusion Attack?

A common hybrid component configuration manages private packages developed in house and  publicly available packages which are automatically downloaded when a new version is released. The risk of public packages being hijacked, downloaded and for malware to be introduced in a dependency confusion attack is the result.


Am I impacted?

If you download and use code from public open-package index web sites in your applications, you may be at risk from this form of attack. Even if your code packages are managed internally using private feeds it is possible that you are at risk if you consume components from public indexes such as Maven Central, npm, NuGet Gallery, and the Python Package Index (PyPI).


What can I do?

Eliminating the risk of this form of attack is straightforward.

  • Use a package manager that enforces controlled scopes, namespaces or prefixes
  • Enforce version pinning or integrity verification mechanisms to ensure only intended functionality is present and prevent substitution attacks
  • If your package manager doesn’t support the above, then consider disabling automatic download of updated packages from public sources
  • All packages used should be signed and from a verified source where possible

If you have any concerns and would like to speak in confidence with one of our Security Consultants, please contact Ross Holmes.

Other resources

What is Consultancy?

Our cybersecurity consultants will assess your infrastructure, systems and networks before devising solutions to protect your business based on your needs.

Why is it important?

Cyber consulting services bring in a broad range of skills, experience and technologies that can be difficult to acquire, develop and retain internally.

How can we help you?

Wherever you are on your cyber journey, we can analyse your business based on our decades of experience, and provide pragmatic advice to help your business succeed and grow.