Dependency Combobulator is a open source toolkit to combat confusion / dependency substitution attacks. That is, those attacks that take advantage of a public or private repository of software projects to confuse the package manager and sneak packages that would be supposed dependencies but are aimed at carrying out some type of attack.
Apiiro launched Dependency Combobulator precisely to be able to fight this. A toolkit capable of detect and prevent these attacks. These attacks have only recently been discovered, and have grown as an attack vector today. In other words, with this kit you will be able to avoid this type of dependency hoax that ends up being malicious packages (instead of installing the correct dependency that should be installed for the software that the package manager is installing).
In these cases, users are not aware, they trust the package manager which is the one that automates the work of dependencies. However, they would be authorizing malicious code without knowing it. That's where Dependency Combobulator gets interesting, to evaluate different sources like GitHub, JFrog Artifactory, etc.
This tool is developed in the Python programming language, and uses a heuristic engine which works on an abstract package model, providing easy extensibility. In addition to flexibility, it can also lead security professionals to make better decisions. It can be easily integrated, and it launches automatically.
"In the wake of security researcher Alex Birsan's decision to compromise ecosystems maintained by Apple, Microsoft, and PayPal earlier this year, the industry experienced an outbreak of seizures similar to the supply chain”Said Moshe Zioni, Apiiro's vice president of security research. "We were eager to respond by creating a suite of tools that can mitigate similar threats and be flexible and extensible enough to combat future waves of dependency confusion attacks. Addressing this attack vector is essential for organizations to successfully secure their software supply chains. «.