Monday, February 22, 04:11
Home security Microsoft: Businesses are at risk of a new attack technique

Microsoft: Businesses are at risk of a new attack technique

According to a warning published by Microsoft on Tuesday, a new one technique attack called "addiction confusion"Or"substitution attack»(Dependency confusion), can be used to contaminates the process of creating applications in corporate environments.


The attack technique is based on elements such as package managers, public and private package warehouses and manufacturing processes.

Today, the developers small or large companies use package managers to download and import libraries which are then assembled using tools to create a final application.

This application can be offered to the company's customers or can be used internally in the company as tool for its employees.

However, some of these applications may also contain a proprietary or highly sensitive code, depending on their nature. For these applications, companies often use private libraries that store in a private (internal) package repository, hosted within the company network.

When company developers create applications, they combine these private libraries with public libraries downloaded from public packet portals, such as npm, PyPI, NuGet or others.

As security researchers have discovered, there is a new attack technique called "addiction confusion" that attacks these mixed application development environments within large companies.

The researchers showed that if one intruder learn the names of the private libraries used in the process of creating a company applications, can register these names in public package repositories and upload public libraries of the same name, which contain malicious code.


The "dependency confusion" attack occurs when developers create their applications in corporate environments and the package manager gives priority to the (malicious) library hosted in the public repository, instead of the internal library of the same name.

The research team managed to discover this attack, in cases where large technology companies accidentally leaked the names of various internal libraries and then recorded these same libraries in package repositories such as npm, RubyGems and PyPI.

Using this method, the researchers said they successfully loaded their own code into applications used by 35 major technology companies, such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber and others.

But besides npm, RubyGems and PyPI, other package managers are also vulnerable, including JFrog, Maven Central and NuGet.

While the research team said it has informed all affected companies and package repositories, Microsoft seems to have taken the issue more seriously.

Following the release of the security team's investigations on Tuesday, the company also manages the NuGet package manager for developers . NET, issued a warning detailing the "addiction confusion" technique, which Microsoft calls a "substitution attack."

Some of the recommendations are:

  • Report a private stream, not multiple
  • Protect your private packages by using checkboxes in public package repositories
  • Use client-side verification features such as version pinning and integrity verification


Please enter your comment!
Please enter your name here

Absent Mia
Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement


How to make a Facetime Audio call

Tired of low quality cell phone calls? Thanks to FaceTime, you can make high-resolution calls if you use iPhone, iPad, ...

How to add special effects to Instagram messages

Did you know that you can make instant Instagram messages more impressive? Like any other Instagram feature, you can add special ...

Only 270 addresses are responsible for 55% of all money laundering

Cybercriminals who keep their money in cryptocurrencies tend to "launder" money through a small set of online services, according to ...

Twitter: Voice messages are coming! How do we send them?

Twitter will soon support voice messages in both iOS and Android applications. This means that you will be able to send ...

How to connect a Bluetooth headset to a Nintendo Switch

The Nintendo Switch has a headphone jack. However, most headphones have become wireless so you will need a way to connect them ...

How to hide your phone number in Telegram

If you wish to create a Telegram account, you must provide your telephone number. In this way, Telegram validates the ...

Google Assistant: How can you delete your recordings?

Google Assistant can make your daily life much easier. However, it also involves some privacy issues, as ...

Microsoft: Office 2021 / Office LTSC coming in the second half of 2021

Microsoft announced that the Microsoft Office Long Term Service Channel (LTSC) and Office 2021 will be released in 2021, for ...

How to quickly create QR codes with Bing

If you ever need to create a QR code, but you do not know how, Microsoft has an easy-to-use tool available in any program ...

Brave: Onion addresses leaked to DNS traffic

The Tor function included in the Brave web browser, allows users to access .onion dark web domains within ...