“Dazed and Dependency-Confused in Dallas”
Dear Sloan,
I am confused about dependency confusion attacks. I’m dreading the topic of dependency hijacking. I’m also not good with namespace confusion? And I’m in a real tizzy about typosquatting? I know that simply overlooking these terms isn’t an option, and I want to be well-versed as I explain their importance to decision-makers in my org. Will you please help me to clarify and define these terms?
Thank you,
Dazed and Confused in Dallas
Dear Dazed and Confused in Dallas,
You’re not alone in being discombobulated about dependency confusion. 🤔 And you’re right on in recognizing the importance of grasping all of these terms. So, to quell some of your angst, know that dependency confusion is sometimes referred to as dependency hijacking. It’s also informally known as namespace confusion. I hope that helps you a bit. 💡
Now, What Does Dependency Confusion Mean?
Dependency confusion is one type of software supply chain attack. This is also known as dependency hijacking, and namespace confusion. (If you’re thinking ‘what’s a software supply chain, that’s another story for another day :0)). Anyway, here’s how attacks could happen:
- Attackers deliberately confuse your package managers. They trick your script to pull in a malicious software (malware) file instead of the intended file.
- Attackers identify the internal package names. Next, they place malicious code with the same name in public package repositories.
- When they publish it to the public (e.g. on npm/PyPI/RubyGems/other repo), it has the same name as your private dependency. When this happens, the public dependency gets pulled into your code, instead of your own, private one. *depending on how you configure your tools.
- How does the attack succeed? There are two files of the same name. Most installers are configured to pick the file with the highest version number.
- When the attackers place the malicious code of the same name in the public repo, they ensure it has a higher version number than the intended package.
- At times, the attackers may use names of dependencies that no longer exist to confuse the package managers.
Tame Your Tizzy About Typosquatting
Dazed and confused, I’m happy to tame your tizzy. Typosquatting is a type of dependency confusion as well. So, what is typosquatting? I’m glad you asked. Here are some details around typosquatting attacks:
- Attackers post malicious components to public repos (npm/PyPI/RubyGems….)
- They make sure their malicious components share the same name and spelling of legitimate components. But, intentionally misspell the malicious component name. They change only 1-2 letters.
- Attackers know that typos happen, and capitalize on developers making typographical errors.
- Attackers know that developers may mistake the attacker’s component for the real thing when quickly browsing the list. (This is also known as “brandjacking”)
If you’d like to dig deeper into the topics of npm dependency confusion, or typosquatting examples, check out Sonatype’s blog. “Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties.” See our handy guide on Preventing Namesapce Confusion. Or, sign up to watch this super informative webinar on How to Avoid the ‘Dependency Confusion’ Software Supply Chain Hack. As always, let us know what you think in the comments below.
Yours Truly,
Sloan
~ Making Cyber a Safer Space
Hey could we get a date attached to these posts? I’m just curious how up-to-date this is.
Hi DocOc – We just posted this yesterday, though we’re in a pilot phase, so not yet been published on our Learn.sonatype.com site. We will be sure to add dates as you suggested when we publish. BTW – how did you happen upon this? I’m hoping you found it via a search?