Application security was analyzed in a recent report by OX Security. According to the report, applications with more than 1 billion users are currently using dependencies which are vulnerable to dependency confusion attacks. Moreover, for organizations at risk, 73% of their assets are exposed to dependency confusion attacks, shedding new light on the devastating impact this type of attack can have on an organization. The research, which looked at over 54,000 repositories, focused on both midsize and large organizations.
A dependency confusion attack is when malicious actors upload a software package with the same name as a legitimate one to a public package repository in order to trick developers into unknowingly using a malicious version of the software. Dependency confusion attacks are highly dangerous because they often bypass traditional security measures. According to the report, attacks are spread evenly across sectors.
Software companies are often particularly targeted for dependency confusion attacks because while the company thinks a package name is safe in a private registry, hijackers can still find the package name on package hosting services, public script files and leaked internal paths.
Read the full report here.