An attack that confuses security tooling into an insecure action. So, what is dependabot, if you’ve used GitHub you’ve probably seen it around. Its a bot that scans a projects dependencies and when applicable it’ll automatically create a PR to bump versions up to newer releases.

One interesting feature of this is that if you set a dependencies to a specific git repository in order to make use of currently unreleased changes dependabot can detect when those changes get released in a public package and automatically send a PR to convert your dependency from git to the package again. The problem lies in how it does this detection, and important how it handles projects that are not supposed to have a public package at all.

Well it takes the name of the git-repository and treats that as the package name. If it finds a package with the same name it assumes they are the same, so it checks the commit you have in the dependency, and then goes to the package, retrieves the repository information and commit for its latest release. Then using the repository from the public package, checks that the first commit is included in the commit history of the release. If so it’ll create a PR bumping the version to use the public package.

This means an attacker, who can guess or otherwise disclose a peivate dependency using a git repo can get Dependabot to incorrectly produce a PR to point the dependency towards a malicious package.