npx Used Confusion and It’s Super Effective

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.landh.tech//blog/20260521-npx-used-confusion-and-its-super-effective
• Blog Title: npx Used Confusion and It’s Super Effective
• Suggested Section: Pentesting Web > Dependency Confusion, as a subsection for npm/npx binary-package name confusion / npx command resolution abuse

🎯 Content Summary

Overview

The post introduces npx Confusion, a supply-chain execution technique against the npm/npx ecosystem. It is related to dependency confusion, but it does not rely on the classic private-registry-vs-public-registry precedence problem. Instead, it abuses the way npx resolves a command name when the command is not found locally, globally, or in the npx cache.

npx, embedded in npm, is designed to execute binaries from npm packages. If a...

🔧 Technical Details

npx binary/package-name confusion: When npx <name> is executed without an explicit --package flag, npm first searches for <name> as a binary in local node_modules/.bin, global bin paths, installed package trees, and the npx cache. If it cannot resolve the binary, npm pushes args[0] into the package list with packages.push(args[0]). That turns the original binary name into a package spec. If the package is missing from local/global/cache trees, npm fetches it from the public registry, installs it into ~/.npm/_npx/<hash>, prepends the cached node_modules/.bin directory to PATH, and executes it. An attacker can exploit this by registering an unclaimed public npm package whose name matches a binary that developers or automation run through npx.

Scoped-package binary-name takeover: Scoped npm packages such as @company/package🤖 Agent Actions

Updated src/pentesting-web/dependency-confusion.md.

Added a new subsection covering:

• npx binary/package-name confusion
• why scoped packages make it easier to exploit
• execution-context-dependent resolution (node_modules/.bin, global bins, Arborist tree, ~/.npm/_npx/, registry fallback)
• attacker workflow / red-team checks
• technical mitigations like explicit --package, avoiding bare npx <binary> in automation, and checking ~/.npm/_npx/

Also updated the file’s ## References with:

• the LandH blog post
• official npm npx / npm exec docs
• pinned npm CLI source links

Validation:

• diff reviewed
• single ## References section preserved
• balanced code fences
• final banner include preserved

Note: mdbook build could not be run because mdbook is not installed in this environment.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.landh.tech//blog/20260521-npx-used-confusion-and-its-super-effective

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web > Dependency Confusion, as a subsection for npm/npx binary-package name confusion / npx command resolution abuse".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0