← Lessons

quiz vs the machine

Gold1460

Security

Dependency Confusion Attacks

How a public package can shadow your private one during install.

4 min read · core · beat Gold to climb

Name Collisions Become Exploits

Dependency confusion happens when a build tool prefers a public package over a private one sharing the same name. An attacker publishes a malicious package under your internal name with a higher version, and the resolver pulls theirs.

Why It Works

  • Some installers search public and private registries together and pick the highest version.
  • Internal package names leak through logs, configs, or source.
  • The malicious package runs install scripts with build privileges.

Defenses

  • Scope or namespace private packages so they cannot be impersonated publicly.
  • Pin installs to the private registry and disable public fallback for internal names.
  • Use a lockfile with integrity hashes and review new dependencies.

Key idea

Dependency confusion lets a public package shadow a private one by version, so scope internal names, pin to the private registry, and lock with integrity hashes.

Check yourself

Answer to earn rating on the learn ladder.

1. What makes dependency confusion succeed?

2. Which defense directly prevents the swap?