Tags
Supply ChainCI/CD
ATT&CK Tactic
Initial Access (TA0001)Execution (TA0002)
Incidents
Multiple organizations vulnerable to dependency confusionIvanti supply chain attack via compromised libraryPyTorch-nightly torchtriton dependency compromise
Tech
npmPyPI
References
https://owasp.org/www-project-open-source-software-top-10/0-1-risks/OSS3-Name-Confusion-Attack.html
Last edited
May 20, 2025 6:10 AM
Status
Finalized
Defenses
SBOM
A package dependency confusion attack is a type of software supply chain attack where an attacker exploits the way package managers resolve dependencies. The attacker uploads a malicious package to a public repository (like npm or PyPI) using the same name as an internal/private package used by a target organization. If the target's build system gives preference to public packages or doesn't properly configure package scopes, it may download and execute the malicious public version instead of the intended internal one, potentially leading to code execution or data exfiltration.