dependency-confusion
Safeguard articles tagged "dependency-confusion" — guides, analysis, and best practices for software supply chain and application security.
51 articles
npm package aliasing: the dependency confusion attack surface most teams never scan
npm's alias@npm:target syntax lets an attacker capture a name that doesn't even exist yet on the registry — widening dependency confusion past simple squatting.
npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware
event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.
Typosquatting and dependency confusion: a defense guide
In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.
Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks
In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.
How malicious Gemfile.lock entries redirect Ruby installs to attacker servers
A single unreviewed remote: line in Gemfile.lock can silently reroute a bundle install — here's how Ruby lockfile injection works and how to stop it.
Dependency confusion and npm supply-chain hardening
One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.
The string-width-cjs npm packages: a supply chain warm-up, not a breach
One of three empty npm packages aliasing real libraries reached 500+ dependents and 7,274 weekly downloads — with no malicious code found at all.
Software supply chain attack trends: what the public incident data shows
Sonatype tracked 454,648 new malicious packages in 2025 alone — over 1.2 million total since it started counting. Here's what three years of incident data reveal.
Software supply chain attacks in 2026: what's actually changed
A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.
Slopsquatting: When AI Hallucinates a Package Attackers Register
AI coding assistants confidently recommend packages that do not exist. Attackers noticed. Slopsquatting turns a model's hallucination into a supply-chain foothold — and the fix is not to make models stop hallucinating.
Anatomy of an npm Dependency Confusion Attack
One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.
Supply Chain Attacks FAQ: 2026 Threats Explained
Answers to the most common questions about software supply chain attacks in 2026 — how they work, famous examples, the main techniques, and how to defend against them.