Microsoft has released a white paper outlining a new cyberattack method the company calls "dependency confusion" or "surrogate attack." The approach aims to take advantage of the open ecosystem that many companies use as part of their application development process, combining public and private flows within the same development supply chain. When building applications, developers often use a combination of code stored in private libraries and public portal dependencies. However, if an attacker learned the names of private libraries used by enterprise applications, they could register the same name in public package repositories and fill it with malicious code. Microsoft has dubbed this threat a "surrogate attack." “A common hybrid configuration used by customers is to store internal packages in a private stream, while still allowing dependencies to be obtained from a public stream,” the Microsoft whitepaper explains. “This ensures that the latest package versions are automatically adopted when referencing a package that doesn't need to be updated. Internal developers post their packages to this private feed, and consumers review the private and public feeds to find the best available versions of required packages. This configuration presents a risk to the supply chain: the surrogate attack. "