Depending on configuration of various package managers it is possible for an attacker to insert a malicious into manager's repository which can be retrieved and used during development, build, release processes. This insertion could lead remote code execution. We believe this vulnerability affects multiple across languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm.

Attack scenarios

An take advantage ecosystem-wide issue cause harm in variety ways. The original attack scenarios were discovered by Alex Birsan are detailed their whitepaper, Dependency' target='nuevo' class='_link'>https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610">Dependency Confusion: How I Hacked Into Apple, Microsoft Dozens Other Companies.

• With basic knowledge the target ecosystems, create empty shell install scripts, give high version, publish public repository. Vulnerable victim machines will download higher version between private repositories attempt it. Due incompatibility probably error out upon import or compilation, making easier detect; however would have gained execution that point.

• An advanced with some inside copy working package, (in itself install), then likely correctly, granting initial foothold persistence.

These two methods affect organizations at any these levels:

• Developer machines
• An entire team if uploaded repository
• Continuous integration pipelines they pull packages test, and/or deploy stages
• Customers, servers, production services has been detected

This only addressed reconfiguring installation tools workflows, correcting anything themselves. See FAQ section CVE guidance.