gotchaCriticalpending
Dependency confusion attack — protecting internal packages
Viewed 0 times
dependency confusiontyposquattingprivate registryscoped packagesupply chain attack
nodejspythonci-cd
Problem
npm/pip/etc installs a malicious public package instead of your private internal package. An attacker publishes a package with the same name as your internal package on the public registry, with a higher version number.
Solution
(1) Use scoped packages: @mycompany/mypackage — scope names on npm are unique to the org. (2) Pin exact versions in lock files (package-lock.json, poetry.lock). (3) Configure registry priority: .npmrc with registry=https://your-private-registry, @mycompany:registry=https://your-private-registry. (4) Use Artifactory/Nexus as a proxy that checks both registries with proper priority. (5) For pip: use --index-url for private registry and --extra-index-url for PyPI (but this doesn't prevent the attack — use pip's --no-deps or hash checking). (6) Claim your internal package names on public registries as placeholder packages. (7) Audit: check if your internal package names exist on public registries.
Why
Package managers check multiple registries. If a public package has the same name and a higher version than your private one, the package manager may prefer the public (malicious) version.
Revisions (0)
No revisions yet.