Dependency Confusion

Description

If private package names also exist on public registries, build systems may inadvertently pull attacker‑controlled packages (“dependency confusion”). Mobile projects using Gradle, CocoaPods, or React Native dependencies are susceptible when versions aren’t pinned and registries aren’t isolated.

Examples

Detect Loose Versions and Public Resolution

rg -n "[:=] *['\"](\^|~|\*)|['\"]: *latest|\+\s*$" build.gradle Podfile package.json

Investigate any “latest”, wildcards, or “+” notations that could pull unintended versions.

Prefer Private Scopes/Registries

Check Gradle repo order and Pod sources:

rg -n "maven\{ url|google\(|mavenCentral\(|jcenter\(" build.gradle*
rg -n "source 'https://github.com/CocoaPods/Specs'" Podfile

Remediation

Pin and verify
- Lock exact versions; verify checksums/signatures; use lockfiles.
Isolate registries
- Route private packages to private registries with scoped names; block public fallbacks.
Monitor
- Alert on new public packages matching internal names; review SBOMs for drift.

Haxoris Wiki

Dependency Confusion

Description

Examples

Detect Loose Versions and Public Resolution

Prefer Private Scopes/Registries

Remediation