Dependency Hijacking

Dependency Hijacking is a sophisticated supply chain compromise technique where attackers exploit the way package managers or build systems resolve and retrieve dependencies. In this attack, adversaries publish malicious packages with names similar to legitimate dependencies (typosquatting) or claim namespace precedence in public repositories for packages that are privately used within organizations but not publicly registered. When development environments automatically fetch these dependencies during build processes, the malicious code is unknowingly incorporated into the target application. This technique takes advantage of the implicit trust organizations place in third-party libraries and the lack of verification between what's specified in dependency manifests and what's actually retrieved from repositories. Successful dependency hijacking allows attackers to gain initial access to development environments, inject malicious code that will be distributed to end-users, harvest credentials, or establish persistent access through compromised software supply chains without needing to compromise organizational networks directly.