Dependencies, Confusions, and Solutions: What Did Twilio Do to Solve Dependency Confusion

Twilio's Product Security team investigated a novel supply chain attack based on dependency package naming conventions. They discovered that attackers could upload malware to open source repositories and name them to be downloaded by target companies' applications, exploiting the lack of namespace/scope/vendor in public registries. To safeguard its customers' data, Twilio implemented controls such as introducing and enforcing naming conventions for all internal packages, blocking proxying of external packages with colliding names, mandating package installs come through internal package manager proxies, and deleting old packages that did not follow the introduced naming conventions. These changes reduced the risk of unintentional downloads and ensured that only Twilio could publish in public registries. By working together with engineering teams, Twilio was able to identify languages vulnerable to the attack, implement security controls, and automate monitoring for alerting on naming collisions. The team emphasized the importance of having a clean inventory of dependencies, programming languages, and CI/CD systems, as well as active monitoring tools to detect potential issues early.