Security News > 2023 > August > Dependency Confusion Attacks: New Research Into Which Businesses are At Risk
We share specifics from new security research about dependency confusion attacks, as well as explain how these attacks work, who is most at risk and how to mitigate them.
New research from OX Security, a DevOps software supply chain security company, revealed that almost all applications with more than one billion users and more than 50% of applications with 30 million users are using dependencies that are vulnerable to dependency confusion attacks.
The research also showed that organizations at risk are more likely to have 73% of their assets exposed to dependency confusion attacks.
For dependency confusion to work, the hacker first identifies a package name in the private repository and registers the same package name in the public repository so that when a new update to the application is installed, it hooks with the malicious version on the public registry instead of the safe one in the private registry.
If a developer wants to install a package hosted on their private or internal repository but can't reach the private repository where it's stored, the developer's dependency manager will attempt to find a similarly named package on a public registry and use that instead. Figure A. Who might be impacted by dependency confusion attacks?
Another way developers can deal with dependency confusion is by validating the package source before installing new packages or updating to an updated version.