Dependency confusion is a supply chain attack in which a build or package manager is tricked into pulling a malicious package instead of the intended internal one. It matters because modern builds rely heavily on automated dependency resolution, and small naming mistakes can turn into code execution inside trusted pipelines.
What is Dependency Confusion?
Attackers register public packages with names that overlap internal package namespaces or exploit priority rules in build tooling. If the build system resolves the attacker package first, malicious code can run during install, build, or deployment.
What Dependency Confusion Commonly Supports
Common uses include supply chain threat modeling, registry hardening, dependency governance, and secure build pipeline design.
Dependency Confusion vs. Trusted Internal Package Resolution
Dependency confusion abuses ambiguous package lookup rules. Trusted internal resolution ensures private packages cannot be silently replaced by external lookalikes.
Frequently Asked Questions
Why is dependency confusion dangerous?
Because the malicious package often runs inside a trusted build environment that already has source code, secrets, or deployment access.
How do teams reduce this risk?
Namespace controls, explicit registry configuration, package allowlists, and build-policy validation all help.
Related Cybersecurity Terms
