Experts warn of growing dependency confusion attacks

The number of threat actors introducing malicious codes into applications through dependencies is increasing, and while this technique is relatively new, recorded attacks have shown that they can cause huge problems to organizations, reports TechRepublic. One example of a dependency confusion attack is the PyTorch malicious dependency package in 2022, where threat actors managed to launch a supply chain attack by injecting a malicious dependency on their PyPI code repository and running a malicious binary to activate them. OX Security, a DevOps software supply chain security firm, has recently released new research showing that over one billion users and over half of applications with 30 million users are using dependencies that may be subjected to dependency confusion attacks. Vulnerable organizations also have a 73% higher chance of their assets being exposed to dependency confusion attacks, the research shows. This echoes a statement in Orca Security's report earlier this year that nearly 49% of organizations can be targeted in dependency confusion attacks.