Supply chain attacks are becoming one of the most serious security risks in modern software development. Instead of attacking the application directly, attackers target the dependencies that the application relies on.
One attack technique that has gained a lot of attention in recent years is Dependency Confusion.
While researching supply chain vulnerabilities during bug bounty programs, I repeatedly encountered repositories that referenced internal dependencies which did not exist on public registries. That observation eventually led me to build a small tool called PACO to automate the process of identifying these risks.
This article explains how dependency confusion works and how PACO can help detect these vulnerabilities while browsing GitHub repositories.
What is Dependency Confusion?
Dependency confusion is a supply chain vulnerability where an attacker publishes a malicious package using the same name as an internal dependency used by an organization.
If the build system prefers packages from the public registry, it may install the attacker’s version instead of the intended internal package.
This type of attack can affect package ecosystems such as:
- NPM
- PyPI
- RubyGems
Once the malicious package is installed, it can execute arbitrary code during installation or runtime.
Possible impacts include:
- Remote code execution
- Credential theft
- Data exfiltration
- CI/CD compromise
The attack became widely known after security researcher Alex Birsan demonstrated it against several major companies in 2021.
Since then, dependency confusion has become a common technique discussed in bug bounty and supply chain security research.
The Manual Problem
When analyzing open-source repositories for dependency confusion risks, the usual workflow looks like this:
- Open a GitHub repository
- Identify dependency files such as
package.json,Gemfile, orrequirements.txt - Extract dependency names
- Check whether those packages exist on public registries
- Identify packages that appear to be unpublished
Doing this manually works for one repository, but it becomes extremely slow when reviewing dozens of projects.
To speed up this workflow, I decided to automate the process.
Building PACO
PACO (Package Confuser) is a lightweight Chrome extension designed to detect unpublished dependencies directly while browsing GitHub repositories.
Instead of cloning repositories or running command-line tools, the extension allows security researchers and developers to analyze dependencies directly in the browser.
The goal is simple: quickly identify dependencies that may create a dependency confusion risk.
What PACO Detects
PACO scans dependency files in GitHub repositories and checks whether the referenced packages exist on official registries.
It helps identify:
- Unpublished packages
- Removed or broken dependencies
- Packages that could be abused for dependency confusion attacks
Currently supported ecosystems include:
- NPM (Node.js)
- PyPI (Python)
- RubyGems (Ruby)
Support for additional ecosystems is planned in future releases.
How the Extension Works
The extension performs several steps when scanning a repository.
1. Detect dependency files
PACO detects common dependency files used by different ecosystems:
package.jsonGemfilerequirements.txt
2. Extract dependency names
Each ecosystem requires a slightly different parsing approach.
For example:
- JSON parsing for NPM dependencies
- Regex extraction for Ruby Gemfiles
- Line parsing for Python requirements
3. Query official package registries
After extracting dependency names, the extension queries the relevant registries:
- registry.npmjs.org
- pypi.org
- rubygems.org
If a dependency cannot be found, PACO flags it as a potential dependency confusion candidate.
Example Scan
A typical PACO scan might return results like this:
[NPM] dt-adoptionoverview-extension → Unpublished
This indicates that the dependency referenced in the repository does not exist on the public NPM registry, which may indicate a potential supply chain risk.
Try PACO
If you are interested in supply chain security or bug bounty research, you can check out the project here:
https://github.com/r00tSid/PACO-Package-Confuser
Real Bug Bounty Findings
During bug bounty research, PACO helped identify real dependency confusion exposures in public programs.
Some of these findings resulted in bug bounty rewards.
These results highlight how supply chain issues can still exist in modern development environments, even in large organizations.
Why Browser-Based Scanning?
Most dependency scanning tools operate as command-line utilities. While those tools are powerful, they usually require cloning repositories or running scripts locally.
A browser-based approach makes it possible to analyze repositories instantly while reviewing code on GitHub.
For security researchers who frequently browse repositories during reconnaissance, this workflow can be significantly faster.
Future Improvements
PACO is still evolving, and several improvements are planned.
Possible future features include:
- Support for additional ecosystems such as Go Modules, Maven, and Rust Cargo
- CLI version for automated scanning
- Organization-level repository scanning
- Integration with CI/CD pipelines
Final Thoughts
Supply chain security has become a major concern for developers and organizations alike. Dependency confusion is just one example of how attackers can exploit weaknesses in package ecosystems.
Identifying these risks early can help prevent serious security incidents.
Tools like PACO are designed to make it easier for developers and security researchers to detect suspicious dependencies while reviewing code.
If you find the project useful, consider giving it a star on GitHub.
Top comments (0)