1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 3:46 am May 21, 2026

Forum Moderators: open

Message Too Old, No Replies

Warnings of A New Attack Called "Dependency Confusion" or "Substitution Attack"

         

engine

12:58 pm on Feb 10, 2021 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



There are warnings of a new attack called "dependency confusion" or "substitution attack," come from Microsoft and published in a white paper. The attack could allow bad actors to inject malicious code inside private code repositories by registering internal library names on public package indexes.

Read more here [medium.com...]
Read more here [zdnet.com...]

Read more here [azure.microsoft.com...]

graeme_p

1:47 pm on Feb 10, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Do not run your own package repositories unless you know what you are doing!

There are multiple methods of specifying version numbers, locations etc. (at least with pip). For internal things you can point to a version control repo, with a full URL which is unambiguous - and saves you running your own repository.

its interesting that this happens so often with language package repositories (especially npm!) and hardly ever with OS ones. That points to some possible solutions.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 3:46 am May 21, 2026