Finding Dependency Confusion Vulnerabilities in Public GitHub Repositories

Supply chain attacks are becoming one of the most serious security risks in modern software development. Instead of attacking the application directly, attackers target the dependencies that the application relies on . One attack technique that has gained a lot of attention in recent years is Dependency Confusion . While researching supply chain vulnerabilities during bug bounty programs, I repeatedly encountered repositories that referenced internal dependencies which did not exist on public registries. That observation eventually led me to build a small tool called PACO to automate the process of identifying these risks. This article explains how dependency confusion works and how PACO can help detect these vulnerabilities while browsing GitHub repositories. What is Dependency Confusion? Dependency confusion is a supply chain vulnerability where an attacker publishes a malicious package using the same name as an internal dependency used by an organization. If the build system prefers