HomeWinBuzzer NewsSecurity Researcher Explains His “Dependency Confusion” Exploit Method

Security Researcher Explains His “Dependency Confusion” Exploit Method

A security researcher who discovered dependency confusion attack exploits against apps has explained how his exploit works.


Yesterday we reported on sending a warning about so-called “dependency confusion” attacks targeting developers. The company received information from Security Researcher Alex Birsan. He has now discussed the security vulnerability in-depth on a Medium post.

Birsan points out he was able to exploit a security vulnerability and run code on servers run by over 30 companies, including Microsoft, , and PayPal. As Microsoft noted yesterday, the exploit is very simple and will lead to a way major companies handle in-house app development.

Many corporations develop their own applications to be used in-house amongst employees or sent out externally. Developers within organizations use package managers for handling libraries that are then put together to assemble an app.

The attack method involves targeting app building, package managers for downloading and importing, and repositories hosting app files. A lot of apps are held in a mix of public and private libraries. If an attack can discover the name of a private library, they could register it on a public repository and upload malicious libraries to the public packages.


This is how Birsan was able to discover the exploit. He says finding the names of private packages was extremely easy. Once he did that, he was able to upload his own code onto the public repository. Companies use automated system that use code from private and public repos. That automatic system would use the new uploaded code, including in private packages.

Discussing how he achieved this against PayPal, the researcher says:

“The idea was to upload my own “malicious” Node packages to the npm registry under all the unclaimed names, which would “phone home” from each computer they were installed on. If any of the packages ended up being installed on PayPal-owned servers — or anywhere else, for that matter — the code inside them would immediately notify me.”

Birsan says all companies he tested gave him permission and he also says each of them paid the maximum cash bounty reward they have.

Tip of the day:

Is your system drive constantly full and you need to free up space regularly? Try Windows 10 Disk Cleanup in extended mode which goes far beyond the standard procedure. Our tutorial also shows you how to create a desktop shortcut to run this advanced method right from the desktop.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News