this post was submitted on 14 Aug 2023
6 points (100.0% liked)

Cybersecurity News

1334 readers
1 users here now

Welcome to Cybersecurity News!

A community that collect news and other tidbits related to cybersecurity in all its domains.

There are no hard and fast rules regarding what to post here-- we are fine with both pop news articles and more technical pieces regarding cybersecurity.

We use a bot called flynnbot to repost some rss feed content but the majority of posts are human-curated.

New to Cybersecurity?

Here are some resources to get you started:

Related Communities

!security_cpe@infosec.pub
!cybersecurity@zerobytes.monster
!packetstorm@zerobytes.monster
!security@programming.dev
!secops@lemmy.world
!cybersecurity@sh.itjust.works
!netsec@zerobytes.monster
!securitynews@infosec.pub
!cloudsecurity@infosec.pub
!netsec@links.hackliberty.org
!cybersecurity@infosec.pub
!cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
videodrome@lemmy.capebreton.social
flynnbot@lemmy.capebreton.social
6
Dependency Confusion Attacks: New Research Into Which Businesses are At Risk (www.techrepublic.com)
submitted 2 years ago by flynnbot@lemmy.capebreton.social to c/cybersecurity@lemmy.capebreton.social
1 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Elephant0991@lemmy.bleh.au 2 points 2 years ago

Summary

Dependency confusion is a cybersecurity threat that involves uploading a malicious software package with the same name as an authentic one in your private repository to a public package repository. This can trick developers into using the malicious version of the package, which could contain malware or other malicious code.

Dependency confusion attacks are becoming increasingly common, and they can impact organizations of all sizes. In fact, a recent study found that almost all applications with more than one billion users and more than 50% of applications with 30 million users are using dependencies that are vulnerable to dependency confusion attacks.

There are a number of things that organizations can do to prevent dependency confusion attacks, including:

  • Reserving private package names in the public registry so nobody can register them in the public registry.
  • Validating the package source before installing new packages or updating to an updated version.
  • Using package managers that allow the use of prefixes, IDs, or namespaces when naming their packages.

By taking these steps, organizations can help to protect themselves from dependency confusion attacks and keep their systems and data safe.

Additional Details

  • The attacker first identifies a package name in the private repository and registers the same package name in the public repository.
  • When a new update to the application is installed, it hooks with the malicious version on the public registry instead of the safe one in the private registry.
  • Dependency confusion attacks are a form of supply chain attack, and they can have a significant impact on organizations.