Safeguard
Tag

dependency-confusion

Safeguard articles tagged "dependency-confusion" — guides, analysis, and best practices for software supply chain and application security.

51 articles

Supply Chain Attacks

npm package aliasing: the dependency confusion attack surface most teams never scan

npm's alias@npm:target syntax lets an attacker capture a name that doesn't even exist yet on the registry — widening dependency confusion past simple squatting.

Jul 16, 20266 min read
Supply Chain Security

npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware

event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.

Jul 15, 20266 min read
Supply Chain Attacks

Typosquatting and dependency confusion: a defense guide

In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.

Jul 14, 20266 min read
Supply Chain Attacks

Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks

In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.

Jul 11, 20265 min read
Supply Chain Attacks

How malicious Gemfile.lock entries redirect Ruby installs to attacker servers

A single unreviewed remote: line in Gemfile.lock can silently reroute a bundle install — here's how Ruby lockfile injection works and how to stop it.

Jul 11, 20266 min read
Supply Chain Security

Dependency confusion and npm supply-chain hardening

One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.

Jul 8, 20267 min read
Supply Chain Attacks

The string-width-cjs npm packages: a supply chain warm-up, not a breach

One of three empty npm packages aliasing real libraries reached 500+ dependents and 7,274 weekly downloads — with no malicious code found at all.

Jul 8, 20265 min read
Supply Chain Attacks

Software supply chain attack trends: what the public incident data shows

Sonatype tracked 454,648 new malicious packages in 2025 alone — over 1.2 million total since it started counting. Here's what three years of incident data reveal.

Jul 8, 20267 min read
Supply Chain Security

Software supply chain attacks in 2026: what's actually changed

A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.

Jul 8, 20266 min read
AI Security

Slopsquatting: When AI Hallucinates a Package Attackers Register

AI coding assistants confidently recommend packages that do not exist. Attackers noticed. Slopsquatting turns a model's hallucination into a supply-chain foothold — and the fix is not to make models stop hallucinating.

Jul 7, 20265 min read
Supply Chain Attacks

Anatomy of an npm Dependency Confusion Attack

One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.

Jul 7, 20266 min read
FAQ

Supply Chain Attacks FAQ: 2026 Threats Explained

Answers to the most common questions about software supply chain attacks in 2026 — how they work, famous examples, the main techniques, and how to defend against them.

Jul 5, 20266 min read
dependency-confusion — Safeguard Blog