Dependency Confusion

Dependency confusion is a supply chain attack where an attacker publishes a malicious package to a public registry (npm, PyPI, RubyGems) using the same name as an internal private package. Package managers that search public registries before private ones will install the attacker's version instead of the intended internal package. Security researcher Alex Birsan demonstrated this in 2021, earning over $130,000 in bug bounties from companies including Apple and Microsoft. Fix requires pinning package versions and configuring package managers to prefer private registries.

Why it matters for your website

• 1Foundational principle in modern security — harder to retrofit than to build in from the start
• 2Reduces breach impact by limiting what attackers can access if they get in
• 3Required control in ISO 27001, NIST CSF, and most compliance frameworks