Tags
Supply ChainCI/CD
ATT&CK Tactic
Initial Access (TA0001)Execution (TA0002)
Incidents
References
Last edited
May 20, 2025 6:10 AM
Status
Finalized
Defenses
A package dependency confusion attack is a type of software supply chain attack where an attacker exploits the way package managers resolve dependencies. The attacker uploads a malicious package to a public repository (like npm or PyPI) using the same name as an internal/private package used by a target organization. If the target's build system gives preference to public packages or doesn't properly configure package scopes, it may download and execute the malicious public version instead of the intended internal one, potentially leading to code execution or data exfiltration.