What is dependency confusion
Dependency confusion is a newly discovered logic flaw in the default way software development tools pull third-party packages from public and private repositories. Attackers can take advantage of this issue to trick a development environment to pull a malicious package the attackers published in a community repository instead of a custom package hosted in a private repository.
The complexities of the software supply chain
The complex relationships among packages mean that pulling one component as a dependency into an application can result in importing tens or hundreds of others. Security researchers have long warned that this can be exploited by attackers, especially since the repositories are not well policed.
Original article source was posted here