Dependency Confusion, Explained

Many companies use internal packages, acme-auth, acme-billing, installed from a private registry. Dependency confusion happens when an attacker publishes a package with the same name on a public registry, often with a higher version number. Misconfigured tooling then prefers the public one and pulls the attacker's code instead of yours.

Why it works

The impact

How to defend

This is the internal-name cousin of typosquatting; both are about resolution tricks that get attacker code installed.

How Verifi prevents it →