SUP-DEP-CONFUSIONInitial Access

Dependency Confusion (Public ↔ Internal)

Publish a package on a public registry with the name of a target's internal-only dependency at a higher version — npm/yarn prefers the public one.

§ Where this technique fits

SUP-DEP-CONFUSION is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Dependency confusion → internal CI compromise
Publish a public npm package with the name of a target's private internal dependency at a higher version. CI resolves the public one first and runs install scripts in privileged CI.
step 2 / 5

§ What commonly comes next

01
Malicious Install Script
SUP-INSTALL-SCRIPT · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Dependency confusion → internal CI compromise

§ What commonly comes next