How I approached Dependency Confusion!

Aditya Soni
6 min readJan 31, 2022

Hi People,

Hope you are doing good, I know I took a little longer to publish this blog, so apologies there.

In this blog, I will be sharing my approach for finding Dependency Confusion bugs. This blog is totally inspired by Alex Birsan's finding on Dependency confusion.

Let’s Begin! :)

# What is Dependency Confusion?

A Dependency Confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.

Case Study

It was an interesting find when the blog was published and unknown to the internet which attracted many eyes and I was also one of many who wanted to find a dependency confusion bug.

Dependency confusion bugs can be reported when you found a package that is not listed in the public source directory and is still getting installed. Some languages where this vulnerability can be found are python, npm, ruby, etc...

The major bugs which I reported were npm-based dependencies.

#How to identify a vulnerable package?

--

--