Security News > 2021 > June > Microsoft successfully hit by dependency hijacking again
Microsoft has once again been successfully hit by a dependency hijacking attack.
After publishing a public dependency by the same name, he began receiving messages from Microsoft's Halo game dev servers.
BleepingComputer's former articles on dependency confusion explain that the term represents an inherent weakness in various open-source repository managers when it comes to retrieving dependencies specified for a software package.
Should a project be using a private, internally created dependency and a dependency by the same name also exists on a public repository, this would create "Confusion" for the development tools as to which dependency is being referred to.
The public dependency with the same name would get pulled into the development environment instead of the intended, private dependency.
This further confirmed the researcher's suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the researcher contacted Microsoft.