PayloadsAllTheThings/Dependency Confusion
2022-04-24 15:01:18 +02:00
..
README.md Windows Management Instrumentation Event Subscription 2022-04-24 15:01:18 +02:00

Dependency Confusion

A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.

Summary

Tools

Exploit

Look for npm, pip, gem packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.

NPM example

References