Preventing Dependency Confusion in PHP with Composer
The problem boils down to companies referencing internal packages by name, e.g. "my-internal-package" and an attacker then publishing a package by the same name "my-internal-package" with a higher version number on the central registry / package repository for that language (for PHP that would be packagist.org). The companies then installed and ran these malicious packages instead of their internal packages because their package manager chose the higher version number from the default package repository over their internal repository.