eastbaycyber

What Is Dependency Confusion?

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Dependency confusion happens when a build tool, developer workstation, or CI/CD pipeline resolves a dependency to the wrong package source and pulls attacker-controlled code instead of the intended internal package. In simple terms, the system gets confused about which package is the real one.

Dependency confusion is a software supply chain attack in which a system installs a malicious public package because it mistakes it for an internal dependency. The attacker relies on package naming and repository resolution behavior, not on tricking a user to click a file. If a build system, developer workstation, or CI/CD pipeline pulls the wrong package, attacker-controlled code can enter a trusted software workflow.

How dependency confusion works

Modern software projects depend on large numbers of third-party and internal packages. Many organizations publish private packages for internal use while also allowing tools to pull packages from public ecosystems.

That combination creates risk if package resolution is not tightly controlled.

The basic attack path

A dependency confusion attack usually follows this pattern:

  1. The attacker identifies the name of an internal package used by an organization.
  2. The attacker publishes a package with the same name to a public repository.
  3. The package manager or build process checks multiple sources and selects the public package.
  4. The malicious package is installed and executed as part of dependency resolution or build steps.

The exact mechanics vary by language ecosystem and tooling, but the principle is the same: the attacker gets code into a trusted workflow by winning the name-resolution process.

Why the public package gets chosen

This usually happens because of one or more configuration problems:

  • The build process searches public repositories before or alongside private ones
  • Internal package names are not scoped or reserved
  • Version selection favors the higher-numbered public package
  • Developers assume a package name is private when it is not explicitly bound to a private source
  • CI/CD pipelines inherit default package manager behavior that is too permissive

For example, if an organization uses an internal package called acme-utils and a public package with the same name appears, an improperly configured resolver may fetch the public version.

What the malicious package does

Once installed, the package may do many things depending on the permissions available during the install or build process. Common actions include:

  • Collecting hostnames, usernames, and environment variables
  • Stealing tokens, API keys, or credentials available to the build job
  • Reaching out to attacker infrastructure
  • Modifying source or build artifacts
  • Installing additional payloads
  • Creating a foothold in developer or CI environments

In some cases the malicious package only proves installation by beaconing environment details. In a real intrusion, the objective could be access, persistence, or tampering.

Why dependency confusion matters

This attack matters because it targets a highly trusted part of the software lifecycle: dependency management. Development pipelines are often allowed to fetch code automatically, and install steps may run with broad access to repositories, secrets, signing systems, or deployment credentials.

That makes the blast radius potentially larger than a normal endpoint infection.

If the malicious package lands in a developer machine, the impact may be local. If it lands in a CI/CD system with elevated permissions, the attacker may gain access to:

  • Source code
  • Build secrets
  • Artifact repositories
  • Cloud credentials
  • Signing keys
  • Deployment workflows

The risk is not just that a package is malicious. It is that the package is treated as trusted because it arrived through a normal development path.

Common examples of dependency confusion risk

Dependency confusion risk tends to show up in a few predictable situations:

Mixed public and private registries

Organizations often allow package managers to query both an internal repository and a public registry. If the order of resolution is unclear or permissive, the wrong source may win.

Unscoped internal package names

Internal names that look generic, such as company-utils or internal-api-client, are easier to replicate publicly if they are not protected by a namespace or scope.

Automatic version preference

Some dependency resolvers prefer the highest available version number. An attacker can abuse that behavior by publishing a higher version than the internal package.

CI/CD environments with broad permissions

Build pipelines frequently have access to secrets, source repositories, and deployment systems. A malicious dependency in that environment can be far more damaging than one installed on a single laptop.

When you’ll encounter it

You will usually hear about dependency confusion in software security, DevSecOps, and supply chain risk discussions.

In CI/CD security reviews

This is one of the first areas mature teams check when reviewing build pipelines. If a pipeline pulls dependencies from both internal and public sources, dependency confusion should be part of the threat model.

For related background, see what is software supply chain security.

During package manager hardening

Teams working with ecosystems like npm, PyPI, NuGet, Maven, or similar repositories encounter the issue when designing private registry policies, namespace rules, and dependency resolution controls.

In software supply chain assessments

Dependency confusion is a common example used to show that not all supply chain risk comes from a compromised upstream maintainer. Sometimes the weakness is simply how internal dependencies are named and resolved.

After unexpected build or install behavior

If a build job suddenly installs an unfamiliar package, makes odd outbound requests, or shows new install-time scripts, defenders may investigate whether dependency resolution pulled the wrong package.

In red team or adversary simulation work

Purple teams and red teams may test whether internal package names can be inferred and whether build systems will resolve to public sources. This is a practical way to validate supply chain controls.

If you want the broader testing context, read what is purple team.

What reduces the risk

The most effective defenses are process and configuration controls, not just malware detection.

Common mitigations include:

  • Use private registries with explicit source controls
  • Scope or namespace internal packages where the ecosystem supports it
  • Avoid ambiguous package names
  • Pin dependencies and verify allowed sources
  • Prevent public fallback for internal packages
  • Review install-time scripts and package integrity controls
  • Treat CI/CD secrets and permissions as high-value assets
  • Monitor dependency changes in build logs and artifact generation

The main objective is to make package resolution deterministic, not opportunistic.

Practical security considerations for developers and teams

Dependency confusion is partly a package management problem, but it also overlaps with broader developer security hygiene.

Protect developer and build credentials

If a malicious package runs during installation, one of its first targets may be environment variables, saved tokens, or shared credentials. Teams that store secrets carelessly increase the damage of a successful package attack. For developer access and secret hygiene, a password manager like 1Password can help teams handle credentials more safely.

Secure endpoints used for development

A malicious package may drop additional files or attempt follow-on activity on the host where it lands. Endpoint protection is not the main fix for dependency confusion, but it can still help surface suspicious behavior on developer machines. In smaller environments, tools like Malwarebytes may provide another layer of visibility against malicious payloads.

Bottom line

Dependency confusion is a supply chain attack that exploits how build systems choose packages, not just what packages contain. If internal dependencies are not clearly separated from public ones, an attacker may be able to insert code into developer workflows or CI/CD pipelines simply by publishing a package with the right name. The fix is disciplined dependency resolution, private registry hygiene, and tighter control over what your build systems are allowed to trust.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.