Finding Dependency Confusion Vulnerabilities in Public GitHub Repositories

Sidhanta Palei — Fri, 06 Mar 2026 16:03:00 +0000

Supply chain attacks are becoming one of the most serious security risks in modern software development. Instead of attacking the application directly, attackers target the dependencies that the application relies on.

One attack technique that has gained a lot of attention in recent years is Dependency Confusion.

While researching supply chain vulnerabilities during bug bounty programs, I repeatedly encountered repositories that referenced internal dependencies which did not exist on public registries. That observation eventually led me to build a small tool called PACO to automate the process of identifying these risks.

This article explains how dependency confusion works and how PACO can help detect these vulnerabilities while browsing GitHub repositories.

What is Dependency Confusion?

Dependency confusion is a supply chain vulnerability where an attacker publishes a malicious package using the same name as an internal dependency used by an organization.

If the build system prefers packages from the public registry, it may install the attacker’s version instead of the intended internal package.

This type of attack can affect package ecosystems such as:

NPM
PyPI
RubyGems

Once the malicious package is installed, it can execute arbitrary code during installation or runtime.

Possible impacts include:

Remote code execution
Credential theft
Data exfiltration
CI/CD compromise

The attack became widely known after security researcher Alex Birsan demonstrated it against several major companies in 2021.

Since then, dependency confusion has become a common technique discussed in bug bounty and supply chain security research.

The Manual Problem

When analyzing open-source repositories for dependency confusion risks, the usual workflow looks like this:

Open a GitHub repository
Identify dependency files such as package.json, Gemfile, or requirements.txt
Extract dependency names
Check whether those packages exist on public registries
Identify packages that appear to be unpublished

Doing this manually works for one repository, but it becomes extremely slow when reviewing dozens of projects.

To speed up this workflow, I decided to automate the process.

Building PACO

PACO (Package Confuser) is a lightweight Chrome extension designed to detect unpublished dependencies directly while browsing GitHub repositories.

Instead of cloning repositories or running command-line tools, the extension allows security researchers and developers to analyze dependencies directly in the browser.

The goal is simple: quickly identify dependencies that may create a dependency confusion risk.

What PACO Detects

PACO scans dependency files in GitHub repositories and checks whether the referenced packages exist on official registries.

It helps identify:

Unpublished packages
Removed or broken dependencies
Packages that could be abused for dependency confusion attacks

Currently supported ecosystems include:

NPM (Node.js)
PyPI (Python)
RubyGems (Ruby)

Support for additional ecosystems is planned in future releases.

How the Extension Works

The extension performs several steps when scanning a repository.

1. Detect dependency files

PACO detects common dependency files used by different ecosystems:

package.json
Gemfile
requirements.txt

2. Extract dependency names

Each ecosystem requires a slightly different parsing approach.

For example:

JSON parsing for NPM dependencies
Regex extraction for Ruby Gemfiles
Line parsing for Python requirements

3. Query official package registries

After extracting dependency names, the extension queries the relevant registries:

registry.npmjs.org
pypi.org
rubygems.org

If a dependency cannot be found, PACO flags it as a potential dependency confusion candidate.

Example Scan

A typical PACO scan might return results like this:

[NPM] dt-adoptionoverview-extension → Unpublished

This indicates that the dependency referenced in the repository does not exist on the public NPM registry, which may indicate a potential supply chain risk.

Try PACO

If you are interested in supply chain security or bug bounty research, you can check out the project here:

https://github.com/r00tSid/PACO-Package-Confuser

Real Bug Bounty Findings

During bug bounty research, PACO helped identify real dependency confusion exposures in public programs.

Some of these findings resulted in bug bounty rewards.

These results highlight how supply chain issues can still exist in modern development environments, even in large organizations.

Why Browser-Based Scanning?

Most dependency scanning tools operate as command-line utilities. While those tools are powerful, they usually require cloning repositories or running scripts locally.

A browser-based approach makes it possible to analyze repositories instantly while reviewing code on GitHub.

For security researchers who frequently browse repositories during reconnaissance, this workflow can be significantly faster.

Future Improvements

PACO is still evolving, and several improvements are planned.

Possible future features include:

Support for additional ecosystems such as Go Modules, Maven, and Rust Cargo
CLI version for automated scanning
Organization-level repository scanning
Integration with CI/CD pipelines

Final Thoughts

Supply chain security has become a major concern for developers and organizations alike. Dependency confusion is just one example of how attackers can exploit weaknesses in package ecosystems.

Identifying these risks early can help prevent serious security incidents.

Tools like PACO are designed to make it easier for developers and security researchers to detect suspicious dependencies while reviewing code.

If you find the project useful, consider giving it a star on GitHub.

DEV Community: Sidhanta Palei