dependency confusion Archives - Include Security Research Blog

Dependency Confusion Vulnerabilities in Unity Game Development

April 30, 2021 — IncludeSec

The Unity game engine has a package manager which allows packaged code and assets to be imported into a game, with dependencies automatically handled. Originally this was used only for Unity-produced packages, such as the GUI system. Later Unity began allowing private registries so that game studios can maintain their own internal packages. The IncludeSec research team found that the previous advice to Unity game developers to stand up their own package manager left them vulnerable to dependency confusion by default.

Dependency Confusion: When Are Your npm Packages Vulnerable?

March 9, 2021February 18, 2021 — Nick Fox, Tech Review by Juan Picado (Verdaccio) and Jason Kielpinski

This post follows up on the recent blog post by Alex Birsan which highlighted serious problems with how some programming language package managers (npm, RubyGems, and Python’s pip) resolve and install dependencies. Alex described possible causes for pip and RubyGems, but the details regarding npm were a bit less clear so we sought to help … Read more