How Hackers Exploit Dependency Confusion to Breach Major Tech Companies

Hackers often seem to use mysterious "black magic", but many high‑impact attacks rely on surprisingly simple techniques. One such technique, called dependency confusion, tricks package managers into installing malicious code from public registries when they resolve internal package names.

Background

Package managers such as pip for Python, npm for Node.js, and gem for Ruby automatically download dependencies from public repositories. When a private package name does not exist in the public registry, an attacker can publish a malicious package with the same name, causing any installation that trusts the public index to fetch the attacker‑controlled code.

Methodology

The author, Alex Birsan, created malicious packages for Node, Python and Ruby and uploaded them under names that appeared to be internal to target companies. The packages contained a preinstall script (Node) or equivalent hook that collected the username, hostname and installation path, encoded the data in hexadecimal, and sent it out via DNS queries to a custom name server under the attacker’s control.

Data exfiltration via DNS was chosen because outbound DNS traffic is rarely blocked or inspected, allowing the information to reach the attacker even from inside well‑protected corporate networks.

Finding Targets

To discover internal package names, the author scraped public JavaScript files, GitHub repositories, and other internal build artifacts that inadvertently leaked package.json dependencies. Automated scanning of millions of domains yielded hundreds of previously unseen package names.

These names were then used to publish malicious packages on npm, PyPI and RubyGems. The author also leveraged the --extra-index-url option in pip, which checks a private index before the public one, creating a second attack vector.

Results

The attack proved highly effective. Over 35 organizations were tested across all three languages, with a success rate the author describes as “staggering.” Notable payouts included $30,000 from Shopify and Apple each, and $40,000 from Microsoft’s Azure Artifacts program.

Implementing a backdoor in an operational service requires a more complex event sequence; this is a very specific term with additional implications.

Most successful callbacks (≈75 %) came from npm packages, but Python and Ruby were also vulnerable. Companies such as Netflix, Yelp and Uber were affected.

Root Causes

The primary cause is the trust placed in package names without verification. In Python, the unsafe use of --extra-index-url causes the installer to check a private index first, then fall back to the public index, enabling hijacking. Similar behaviors exist in Ruby’s gem install --source and npm’s pre‑install scripts.

Mitigations

Replace --extra-index-url with --index-url to avoid private‑public fallback.

Implement strict namespace policies and reserve internal package names.

Audit build pipelines for accidental exposure of package.json files.

Monitor DNS queries for unexpected exfiltration patterns.

Future Research

Further work includes automating the discovery of leaked internal package names, expanding the attack surface to additional languages and registries, and developing more robust defenses against dependency‑confusion attacks.