Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, Uber, and Uber all affected. Security researcher Alex Birsan has been collectively awarded over $130,000 in bug bounties for his efforts. The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software may include components from a mix of private and public sources. Microsoft has released a new white paper on Tuesday outlining three ways to mitigating risks when using private package feeds.
Source: https://thehackernews.com/2021/02/dependency-confusion-supply-chain.html