Dependency confusion attacks, also known as name confusion attacks, are a serious cybersecurity threat that organizations around the world need to be aware of. These attacks occur when packages used in code are not the ones intended, resulting in potentially harmful consequences.
Recent research conducted by OX Security indicates that a significant number of organizations, around 41-49%, are vulnerable to dependency confusion attacks. Furthermore, when an organization is at risk, a staggering 73% of their assets become vulnerable. The research was conducted across various sectors, including finance, gaming, technology, and media, and found that organizations of all sizes are at risk. Even applications with over a billion users were found to be using dependencies that are vulnerable to these attacks.
To understand how dependency confusion attacks work, we must first comprehend what dependencies are. Dependencies, also known as packages, are essential components of software development. They serve as building blocks and perform specific tasks, whether developed by communities or within a company. Package managers are commonly used to install and update these dependencies. They search both public and private registries for the name of the package and, in most cases, select the highest version number. This is where attackers exploit the system.
Attackers take advantage of the package manager’s behavior by uploading a malicious package with the same name as a trusted one to a public registry. When the package manager encounters the two identical packages, one from the public registry and the other from a private registry, confusion arises. Since the packages have equal names, the manager automatically installs the one with the higher version, which, in this case, is the attacker’s malicious package.
Once the malicious package is installed, hackers gain unauthorized access to the software, enabling them to execute data breaches, steal intellectual property, compromise the software supply chain, and even introduce compliance violations that may result in severe penalties.
Dependency confusion attacks can manifest in different ways. One approach involves namespacing, where attackers upload a malicious software library to a public registry with a similar name to an internally used trusted library. This can mislead systems that don’t check namespaces or don’t fetch from a private registry, resulting in the installation of the malicious code. DNS spoofing is another technique used, where systems are directed to pull dependencies from malicious repositories while displaying seemingly legitimate internal URLs or paths. Additionally, attackers can modify build/install scripts or CI/CD pipeline configurations to trick systems into downloading dependencies from a malicious source.
To protect against dependency confusion attacks, organizations can adopt several preventive measures. Establishing policies within the package manager to prioritize private packages over public ones is crucial. Furthermore, including an .npmrc file is essential when using NPM as a package manager. This file specifies where to fetch packages under a specific scope. Reserving package names in public registries is another effective approach to thwarting these attacks. By reserving package names, hijackers cannot use them to trick the package manager into installing malicious packages.
For comprehensive protection against dependency confusion attacks, organizations should utilize organization scopes for all internal packages, even when publishing to their internal registry. These organization scopes should also be registered in public registries to prevent unauthorized users from taking advantage of the confusion.
Additionally, organizations should register package names publicly. For example, if an organization uses PIP as a package manager for Python dependencies, they should create internal packages with a recognizable suffix that works across all projects. Uploading an empty package with the same name as a placeholder on the public registry helps reserve the name and avoid any potential conflicts in the future.
However, it’s important to note that not all package registries allow users to reserve package names, so organizations should choose a registry that offers this feature.
In conclusion, dependency confusion attacks pose a significant threat to organizations worldwide, with approximately half of all organizations being at risk. The assets of these organizations are highly vulnerable to these attacks. Implementing robust preventive measures, such as establishing policies, including .npmrc files, and reserving package names, can help protect against these attacks. It is essential for organizations to adopt cybersecurity best practices and remain vigilant in order to safeguard their software supply chain from this growing threat.