You probably arrived on this page after watching my talk about Dependency Confusion at .NET Day Switzerland on the 30th of August 2022.

As a reminder, these are the three easy steps to do in order to secure you NuGet supply chain against dependency confusion attacks (links to Microsoft docs):

  1. Use Package Source Mapping
  2. Use <trusted signers>: Manage package trust boundaries
  3. Reserve prefixes for both your public and private packages on Package ID prefix reservation

The source code for my demos is on GitHub, feel free to use it when explaining the problem to your colleagues.

More docs from Microsoft:

You can read about the NuGet historical design decision of having a non-deterministic package resolution behavior for hybrid configurations (fetching packages from all configured sources in parallel): NuGet/Home#5611.

About substitution attacks - the original article by security researcher Alex Bîrsan from Romania: Dependency Confusion: How I Hacked Into Apple, Microsoft, and Dozens of Other Companies.

About typosquatting:

About the SolarWinds breach:

C. Augusto Proiete demonstrated that NuGet packages can execute arbitrary code in 2019 - i-am-root-nuget-package.

Whether you enjoyed or not my talk, please fill in this Feedback form (Google Form, anonymous).

Last, but not least: we’re hiring at Sonar!