Learn English vocabulary for dependency confusion attacks: namespace confusion, typosquatting, private registries, scoped packages, and defense strategies.
0 / 5 completed
1 / 5
A 'dependency confusion' attack (also called namespace confusion) works because:
Researcher Alex Birsan demonstrated in 2021 that many companies' build systems would install his public packages over internal private ones because the package manager preferred the higher version number on the public registry — successfully hitting Apple, Microsoft, and PayPal.
2 / 5
Using 'scoped packages' (e.g., @mycompany/utils) as a defense against dependency confusion works because:
By claiming the @mycompany npm scope, only verified members of that organisation can publish @mycompany/ packages. An attacker cannot publish @mycompany/utils to npm without controlling that scope — eliminating the confusion vector for that namespace.
3 / 5
'Typosquatting' in the package registry context differs from a dependency confusion attack in that:
Typosquatting requires the developer to mistype. Dependency confusion uses the exact correct internal package name but exploits the registry resolution order — the developer types the name correctly but gets the attacker's public version.
A properly configured private registry can enforce that @mycompany/ packages only resolve internally and never fall through to npm, while public packages are proxied and cached. This controlled routing eliminates the ambiguity attackers exploit.
5 / 5
To fully mitigate dependency confusion risk, security teams recommend configuring package managers to:
Pinning exact versions with lockfile integrity hashes (SHA-512) means any substituted package fails the checksum check. Combined with registry scoping and private registry routing rules, this creates defense-in-depth against confusion attacks.