Automatically detect packages vulnerable to Dependency Confusion attacks while browsing
Dependency Confusion Hunter is a Chrome extension that passively monitors web pages for packages that may be vulnerable to Dependency Confusion attacks. It analyzes JavaScript files and source maps to identify internal/private dependencies that don't exist in public registries (npm, PyPI).
Dependency Confusion is a supply chain attack where an attacker publishes a malicious package to a public registry with the same name as an internal/private package. If the package manager isn't configured correctly, it may download the malicious public package instead of the private one.
// Example: Internal package that doesn't exist on npm
import { auth } from 'company-internal-auth'; // ⚠️ Vulnerable!
// An attacker can publish 'company-internal-auth' to npm
// and compromise systems that try to install it
|
|
# 1. Clone this repository
git clone https://github.com/KingOfBugbounty/Dependency-Confusion-Hunter.git
# 2. Open Chrome and go to
chrome://extensions/
# 3. Enable "Developer mode" (top right)
# 4. Click "Load unpacked"
# 5. Select the cloned folderpython3 create_icons.pyReceive instant alerts on Discord:
- Go to your Discord channel → Settings → Integrations → Webhooks
- Create a new webhook
- Copy the webhook URL
- Paste in extension settings
Route traffic through Burp Suite or corporate proxy:
http://127.0.0.1:8080
1️⃣ Install the extension
↓
2️⃣ Browse websites normally
↓
3️⃣ Extension analyzes JS files passively
↓
4️⃣ Get alerts for vulnerable packages
↓
5️⃣ Click extension icon to see results
// All these patterns are detected:
require('package-name')
import x from 'package-name'
import('package-name')
import { x } from '@scope/package'
// References in node_modules/# These patterns are detected:
import package_name
from package_name import x
pip install package-name| 📈 Statistics | 📋 Vulnerability List | ⚙️ Actions |
| • Total packages found • Files analyzed • Vulnerabilities count |
• Package name • Registry type (npm/pip) • Source URL |
• Copy package name • Copy npm publish cmd • Open registry |
- Authorized penetration testing
- Bug bounty programs
- Security research
- Educational purposes
- CTF competitions
- Unauthorized exploitation
- Publishing malicious packages
- Supply chain attacks
- Compromising systems without permission
Dependency-Confusion-Hunter/
├── manifest.json # Extension configuration
├── background.js # Service worker (main logic)
├── content.js # Page content analyzer
├── injected.js # Injected script context
├── popup.html/js # Extension popup UI
├── options.html/js # Settings page
├── styles.css # Styles
├── icons/ # Extension icons
│ ├── icon16.png
│ ├── icon48.png
│ └── icon128.png
└── create_icons.py # Icon generator script
| Problem | Solution |
|---|---|
| No detections | Check if site has JavaScript files |
| No notifications | Check Chrome notification permissions |
| Discord not working | Verify webhook URL is correct |
| Extension not loading | Ensure Manifest V3 is supported |
