Supply Chain Incident
Dependency confusion proof-of-concept campaign
Researchers demonstrated that public package registries could be abused to satisfy internal dependency names and execute code in downstream build environments.
ConfidenceHigh
Evidence LevelResearcher
Attack StageDependency Resolution
Source Artifact DivergenceNo
Affected Packages
Affected Releases
No structured records.
Repositories
No structured records.
Organizations
No structured records.
Maintainers
No structured records.
Threat Actors
No structured records.
Campaigns
No structured records.
Build Systems
No structured records.
Distribution Channels
- npm registry
- PyPI
- RubyGems
Compromised Accounts
No structured records.
Connected Entities
- internal dependency names Package
- npm registry Distribution Channel
- PyPI Distribution Channel
- RubyGems Distribution Channel
References
- Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies Alex Birsan · 2021-02-09