Skip to content

Third Party Dependency Poisoning

Info

ID: AT-RD004
Tactic: Resource Development
Sub-techniques: Backdoored Open-Source Libraries, Dependency Confusion, Typosquatting Dependencies
Platforms: PRE

Third-Party Dependency Poisoning

Adversaries may publish or modify libraries in public or private registries - such as npm, PyPI, or Maven Central - to plant backdoor code that unsuspecting teams import during development. Techniques like typosquatting and dependency confusion exploit assumptions about package naming or repository trust, tricking the application into pulling malicious updates. Once integrated, these tainted dependencies grant attackers a foothold without targeting any specific on-premises infrastructure.

In cloud-native environments, developers rapidly adopt new open-source projects, making them especially vulnerable to malicious libraries that appear beneficial or have a near-identical package name. By relying on automated build processes, organizations may propagate the attacker’s code throughout microservices, delivering the payload to production. Successful third-party dependency poisoning also undermines the supply chain and can bypass perimeter defenses that focus solely on inbound traffic.