Skip Navigation
Webinar | On Demand

How to Avoid the ā€˜Dependency Confusionā€™ Software Supply Chain Hack

Revealed in March 2021, 35 global technology companies were hacked via the ā€˜Dependency Confusionā€™ method. Hereā€™s what you can do to protect against future attacks.

When an ethical hacker announced heā€™d successfully breached 35 technology companyā€™s vulnerable software supply chains, including Apple, Microsoft and Netflix, it was no surprise to Sonatype.

Our research team detected over 300 suspicious packages back in 2020, led by Alex Birsanā€™s research efforts. We added these components to our data, alerted the community, and have been actively protecting customers ever since.

By taking advantage of a novel concept known as ā€˜dependency confusionā€™ aka ā€˜namespace confusionā€™, Birsan pushed his research packages downstream in an automated fashion to the development environments of multinational technology companies. The method he described is now widely deployed by other actors, with 1444% growth in similar packages in a week since he published his findings.

In this 30 minute webinar, Ax Sharma, Security Researcher and Advocate, Brian Fox, CTO, and Ilkka Turunen, Field CTO, discuss the events that led to the breaches, how this particular method of software supply chain attack is so simple, and yet so effective and what you can do about it to avoid exposure in the future.

Additional topics covered include: 

  • Ethical hacking: why organizations can pay upwards of $100k a breach

  • How Sonatype detected and protected 

  • Clear steps on how to avoid future attacks



Ax Sharma

Security Researcher and Advocate

Ilkka Turunen

Ilkka Turunen

Field CTO


Brian Fox