Dependency confusion exposes to attacks

Supply chain attacks are here to stay, and organisations often have to rely on several external software suppliers when building their systems. According to a report published earlier this year, a researcher managed to hack into the systems of Apple, Microsoft and others by uploading his own code packages to their repositories. To hack the systems, the researcher exploited errors in the package management of widely used programming languages. Dependency confusion may arise when an organisation’s internal and external repositories include packages with identical names.