Supply chain security vulnerabilities are a serious issue that all Unity developers need to take into consideration when creating their games.
One of these vulnerabilities is known as dependency confusion. Dependency confusion occurs when an attacker is able to influence a developer’s environment and tools to download a malicious package. This attack leverages the use of unsafe default behavior within some package managers and private repositories.
The Unity Editor has its own package manager, Unity Package Manager, which supports fetching packages from NPM registries. This means a Unity developer using a private NPM registry could face the same risks of the dependency confusion vulnerability described above.
Take for example, a Unity project that pulls from a private registry and a public registry like npm.io. A developer can upload Package A to the private registry, as a standard development practice. If the package manager scopes are too broad or if the private registry proxies a public registry, then a malicious attacker can upload a malicious Package A with a higher version number to the public repository. Due to its higher version number, the malicious package will be downloaded to the Unity project, resulting in code execution on the developer’s machine at dependency load time, or on any machines running the Unity project.
By using private packages in the Unity editor with a private registry that proxies a public repository, a developer may leave themselves vulnerable to a dependency confusion attack. This attack is what IncludeSecurity describes in their article here.