{"campaign":{"name":"Enterprise Dependency Confusion","slug":"enterprise-dependency-confusion","href":"/ti/campaigns/enterprise-dependency-confusion","description":"Dependency-confusion packages that mimic the private/internal package names of specific enterprises (Hyatt, Schedaero, Coca-Cola, Genoma and others) and beacon host and environment data to attacker-controlled collectors such as Burp Collaborator, requestcatcher and disposable inboxes.","objective":"Achieve code execution inside targeted organizations by winning the public/private package name resolution race.","aliases":[],"discovered_at":"2025-01-16"},"packages":[{"ecosystem":"npm","name":"chrome-api-utils","href":"/ti/packages/npm/chrome-api-utils","threat_types":["rat","persistence","dependency_confusion","typosquat"],"versions":["1.1.0"]},{"ecosystem":"npm","name":"grafana-sentry-datasource","href":"/ti/packages/npm/grafana-sentry-datasource","threat_types":["rat","persistence","dependency_confusion","typosquat"],"versions":["1.0.4"]},{"ecosystem":"npm","name":"@patternfly-v5/patternfly","href":"/ti/packages/npm/@patternfly-v5/patternfly","threat_types":["rat","persistence","dependency_confusion","typosquat"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"electron-builder-13","href":"/ti/packages/npm/electron-builder-13","threat_types":["rat","persistence","dependency_confusion","typosquat"],"versions":["13.4.5"]},{"ecosystem":"npm","name":"graphql.vscode-graphql-syntax","href":"/ti/packages/npm/graphql.vscode-graphql-syntax","threat_types":["rat","persistence","dependency_confusion","typosquat"],"versions":["99.99.99"]},{"ecosystem":"npm","name":"mattermost-cloudnative-bootstrapper","href":"/ti/packages/npm/mattermost-cloudnative-bootstrapper","threat_types":["rat","persistence","dependency_confusion","typosquat"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"hyatt-residential-roster","href":"/ti/packages/npm/hyatt-residential-roster","threat_types":["typosquat"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"hyatt-album","href":"/ti/packages/npm/hyatt-album","threat_types":["typosquat"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"hyatt-avatar","href":"/ti/packages/npm/hyatt-avatar","threat_types":["typosquat"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"@Schedaero/shared","href":"/ti/packages/npm/@Schedaero/shared","threat_types":["credential_stealer","data_exfiltration","rat","persistence","dependency_confusion"],"versions":["99440.540.1"]},{"ecosystem":"npm","name":"oc-aa-module-client","href":"/ti/packages/npm/oc-aa-module-client","threat_types":["credential_stealer","data_exfiltration","rat","persistence","dependency_confusion"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"@wame/ngx-adfs","href":"/ti/packages/npm/@wame/ngx-adfs","threat_types":["credential_stealer","data_exfiltration","rat","persistence","dependency_confusion"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"@the-coca-cola-company/ngps-global-common-utils","href":"/ti/packages/npm/@the-coca-cola-company/ngps-global-common-utils","threat_types":["credential_stealer","data_exfiltration","rat","persistence","dependency_confusion"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"cr-static-shared-components","href":"/ti/packages/npm/cr-static-shared-components","threat_types":["credential_stealer","data_exfiltration","rat","persistence","dependency_confusion"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"@ceeferenderer/fe-renderer-sdk","href":"/ti/packages/npm/@ceeferenderer/fe-renderer-sdk","threat_types":["credential_stealer","data_exfiltration","rat","persistence","dependency_confusion"],"versions":["999.999.999"]},{"ecosystem":"npm","name":"@genoma-ui/components","href":"/ti/packages/npm/@genoma-ui/components","threat_types":["c2_agent","dependency_confusion"],"versions":["999.9.9"]},{"ecosystem":"npm","name":"rrweb-v1","href":"/ti/packages/npm/rrweb-v1","threat_types":["c2_agent","dependency_confusion"],"versions":["999.9.9"]},{"ecosystem":"npm","name":"@needl-ai/common","href":"/ti/packages/npm/@needl-ai/common","threat_types":["c2_agent","dependency_confusion"],"versions":["999.9.9"]}],"indicators":[{"kind":"email","value":"jaddyday2@gmail.com","href":"/ti/ioc/email/jaddyday2@gmail.com","context":"Email indicator from blog post"},{"kind":"domain","value":"64.227.183.144","href":"/ti/ioc/domain/64.227.183.144","context":"Network indicator from blog post"},{"kind":"ipv4","value":"64.227.183.144","href":"/ti/ioc/ipv4/64.227.183.144","context":"IP address indicator from blog post"},{"kind":"email","value":"victim59@proton.me","href":"/ti/ioc/email/victim59@proton.me","context":"Email indicator from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Masquerading: package impersonation and typosquatting","mitre_attack_id":"T1036","href":"/ti/ttps/T1036"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"}],"related_campaigns":[],"reports":[{"title":"Malicious npm Packages using Burp Collaborator for Dependency Confusion Attack","url":"https://safedep.io/burp-collaborator-for-dependency-confusion-attack","published_at":"2025-01-16"},{"title":"Malicious npm Packages Impersonating Hyatt Internal Dependencies","url":"https://safedep.io/malicious-npm-packages-hyatt-campaign","published_at":"2025-10-23"},{"title":"Malicious npm Packages Target Schedaero via Dependency Confusion","url":"https://safedep.io/schedaero-dependency-confusion-attack","published_at":"2026-02-25"},{"title":"sl4x0 Dependency Confusion: 92 Packages Target Fortune 500","url":"https://safedep.io/sl4x0-dependency-confusion-campaign","published_at":"2026-03-24"},{"title":"Malicious npm Dependency Confusion Campaign Targets Genoma UI and Others","url":"https://safedep.io/malicious-genoma-ui-npm-dependency-confusion-campaign","published_at":"2026-04-10"}]}