Security researcher Alex Birsan has uncovered a novel supply chain attack leveraging dependency confusion, or namesquatting, in package managers like pip and npm, where attackers can upload malicious code to public servers without oversight, potentially executing harmful code on production and development systems. Unlike typosquatting, this attack does not rely on typographical errors; instead, it exploits the tendency of package managers to prefer newer versions from public servers over internal ones. Birsan demonstrated this vulnerability by publishing packages on the Python Package Index (PyPi) with higher version numbers to override internal packages, allowing arbitrary code execution through source distributions during installation. Additionally, the article explores methods to exploit Python wheels, which typically do not execute code at install-time, by manipulating installation paths to execute malicious code. Mitigation strategies like pip's --only-binary flag and the development of piproxy, a proxy server that prioritizes internal package repositories, are proposed to counter these attacks. Furthermore, the text emphasizes the need for breach detection through static analysis to identify malicious behavior, highlighting Vdoo's efforts, now part of JFrog, to integrate such technology into their platform. This research underscores the lack of a security-centric approach in package management infrastructure and calls for package manager maintainers to address these vulnerabilities internally rather than relying solely on external tools and mitigations.