What are they?

Dependency Substitutions, also known as Dependency Confusions, are a type of attack where bad actors get ahold of a company's internal package naming convention and use it to publish malicious package versions to a public package registry.

Often, this can lead to these substituted packages being installed on developer workstations, and potentially even being deployed.

How does that affect my code?

If these malicious substituted packages are installed and/or deployed it can leave you, or your users, vulnerable to attacks such as: remote code execution, data access, compromised systems, and more.

What can I do about it?

To protect yourself from using substituted versions of your own internal packages, SOOS allows you to set a Project Mask by identifying your internal package naming convention.  SOOS will then check every package coming from an external package registration to ensure it does not match your internal package naming, and will alert you if one exists.

Refer to our article about Using Project Masks for details about this configuration. 


Read here about how one developer hacked dozens of high profile tech companies using Dependency Confusion attacks!