Alex Birsan published the dependency confusion attack in 2021. Five years later, the attack is still producing incidents because the defences remain uneven across ecosystems and organisations. The detection problem has evolved — modern attacks use internal-looking names, spoofed publish metadata, and targeted package namespaces. Static pattern matching catches the obvious cases and misses the ones that disproportionately matter. Griffin AI and Mythos-class general-purpose tools diverge on this detection, and the gap matters because dependency confusion is one of the attacks most likely to reach production via an AI-assisted engineering workflow.
What modern dependency confusion looks like
Three patterns that appear in 2026 incidents:
- Internal-namespace squatting on public registries. An attacker publishes
@mycompany/internal-serviceon public npm, hoping a developer's resolver reaches public before internal. - Typosquatting with internal intent. An attacker publishes packages targeting specific known-internal names with small variations.
- Registry priority mismatches. An organisation uses a private registry but some CI configurations still default to public. The attacker's package is pulled by the misconfigured CI.
Each requires different detection.
How Griffin AI handles it
Three integrated capabilities:
Registry-aware dependency resolution. The engine knows which registries are configured for each project and which packages should resolve to each. A package declared in the internal registry that also exists publicly is flagged as a risk.
Scope-collision detection. Internal namespaces (e.g., @mycompany/*) are tracked; public packages using those namespaces are surfaced automatically.
Publisher verification. For packages pulled from public registries, publisher identity is checked against expected publishers. A new publisher on an expected-internal name is flagged.
A concrete example
A Node.js service declares a dependency on @acme/shared-auth. The org runs its own private npm registry where @acme/shared-auth is published. A CI pipeline has a misconfigured .npmrc that falls back to public npm if the internal registry returns 404.
During a deploy, the internal registry has a brief 500 error. The CI falls back to public npm. An attacker has published @acme/shared-auth on public npm. The malicious package is pulled, installed, and runs.
Griffin AI surfaces this in two ways: (1) @acme/* scope collision on public registry, flagged during routine scans; (2) CI registry-fallback misconfiguration surfaced as a policy finding.
A Mythos-class tool often catches (1) but misses (2) because the CI configuration is a separate reasoning task.
What to evaluate
Three concrete checks:
- Create a public package matching your internal namespace. Does the platform flag it?
- Introduce a CI fallback misconfiguration. Is it detected?
- Change the publisher on an internal-looking public package. Is the publisher-drift flagged?
How Safeguard Helps
Safeguard's dependency confusion detection combines registry-aware resolution, scope-collision detection, publisher verification, and CI configuration analysis. Findings come with the specific attack vector and remediation recommendation. For organisations whose internal namespace is large or whose CI configurations vary across repos, this coverage is the architectural property that makes dependency confusion preventable rather than post-incident.