Dependency Substitution Issues
Dependency Substitutions, also known as Dependency Confusions, are a type of attack where bad actors learn about or guess a company's internal package naming convention and use this knowledge to publish malicious package versions to a public package registry.
Often, this can lead to these substituted packages being installed on developer workstations, and potentially even being deployed.
Refer to our article about Package Mask Configurations to learn how to configure and protect against Dependency Substitution attacks.
If these malicious substituted packages are installed and/or deployed it can leave you, or your users, vulnerable to attacks such as: remote code execution, data access, compromised systems, and more.
To protect yourself from using substituted versions of your own internal packages, SOOS allows you to set a Package Mask which represents your internal package naming convention. SOOS will then check every package coming from an external package registration to ensure it does not match your internal package naming, and will alert you if one exists.
