Automatically detect packages vulnerable to Dependency Confusion attacks while browsing
Dependency Confusion Hunter is a Chrome extension that passively monitors web pages for packages that may be vulnerable to Dependency Confusion attacks. It analyzes JavaScript files and source maps to identify internal/private dependencies that don't exist in public registries (npm, PyPI).
Dependency Confusion is a supply chain attack where an attacker publishes a malicious package to a public registry with the same name as an internal/private package. If the package manager isn't configured correctly, it may download the malicious public package instead of the private one.
// Example: Internal package that doesn't exist on npm
import { auth } from 'company-internal-auth'; // β οΈ Vulnerable!
// An attacker can publish 'company-internal-auth' to npm
// and compromise systems that try to install it
|
|
# 1. Clone this repository
git clone https://github.com/KingOfBugbounty/Dependency-Confusion-Hunter.git
# 2. Open Chrome and go to
chrome://extensions/
# 3. Enable "Developer mode" (top right)
# 4. Click "Load unpacked"
# 5. Select the cloned folderpython3 create_icons.pyReceive instant alerts on Discord:
- Go to your Discord channel β Settings β Integrations β Webhooks
- Create a new webhook
- Copy the webhook URL
- Paste in extension settings
Route traffic through Burp Suite or corporate proxy:
http://127.0.0.1:8080
1οΈβ£ Install the extension
β
2οΈβ£ Browse websites normally
β
3οΈβ£ Extension analyzes JS files passively
β
4οΈβ£ Get alerts for vulnerable packages
β
5οΈβ£ Click extension icon to see results
// All these patterns are detected:
require('package-name')
import x from 'package-name'
import('package-name')
import { x } from '@scope/package'
// References in node_modules/# These patterns are detected:
import package_name
from package_name import x
pip install package-name| π Statistics | π Vulnerability List | βοΈ Actions |
| β’ Total packages found β’ Files analyzed β’ Vulnerabilities count |
β’ Package name β’ Registry type (npm/pip) β’ Source URL |
β’ Copy package name β’ Copy npm publish cmd β’ Open registry |
- Authorized penetration testing
- Bug bounty programs
- Security research
- Educational purposes
- CTF competitions
- Unauthorized exploitation
- Publishing malicious packages
- Supply chain attacks
- Compromising systems without permission
Dependency-Confusion-Hunter/
βββ manifest.json # Extension configuration
βββ background.js # Service worker (main logic)
βββ content.js # Page content analyzer
βββ injected.js # Injected script context
βββ popup.html/js # Extension popup UI
βββ options.html/js # Settings page
βββ styles.css # Styles
βββ icons/ # Extension icons
β βββ icon16.png
β βββ icon48.png
β βββ icon128.png
βββ create_icons.py # Icon generator script
| Problem | Solution |
|---|---|
| No detections | Check if site has JavaScript files |
| No notifications | Check Chrome notification permissions |
| Discord not working | Verify webhook URL is correct |
| Extension not loading | Ensure Manifest V3 is supported |
