Microsoft has published a white paper on Tuesday about a new type of attack technique called a "dependency confusion" or a "substitution attack" that can be used to poison the app-building process inside corporate environments.
The technique revolves around concepts like package managers, public and private package repositories, and build processes.
Today, developers at small or large companies use package managers to download and import libraries that are then assembled together using build tools to create a final app.
This app can be offered to the company's customers or can be used internally at the company as an employee tool.
But some of these apps can also contain proprietary or highly-sensitive code, depending on their nature. For these apps, companies will often use private libraries that they store inside a private (internal) package repository, hosted inside the company's own network.
When apps are built, the company's developers will mix these private libraries with public libraries downloaded from public package portals like npm, PyPI, NuGet, or others.
NEW "DEPENDENCY CONFUSION" ATTACK
In research published on Tuesday, a team of security researchers has detailed a new concept called "dependency confusion" that attacks these mixed app-building environments inside large corporations.
Image source: Forbes