Dependency Confusion Vulnerability Scanner and PoC Generator

Navigation

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for letchupkt from gravatar.com letchupkt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: LAKSHMIKANTHAN K (letchupkt)
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

DepRaptor

Dependency Confusion Vulnerability Scanner & PoC Framework

Developer: LAKSHMIKANTHAN K (letchupkt)
Version: 2.0.0
License: MIT

________                  __________                  __
\______ \    ____  ______ \______   \_____   ______ _/  |_  ____ _______
 |    |  \ _/ __ \ \____ \ |       _/\__  \  \____ \\   __\/  _ \\_  __ \
 |    `   \\  ___/ |  |_> >|    |   \ / __ \_|  |_> >|  | (  <_> )|  | \/
/_______  / \___  >|   __/ |____|_  /(____  /|   __/ |__|  \____/ |__|
        \/      \/ |__|           \/      \/ |__|

Dependency Confusion Scanner
Developer: LAKSHMIKANTHAN K (letchupkt)

What is DepRaptor?

DepRaptor is a production-grade dependency confusion vulnerability scanner built for security researchers and bug bounty hunters. It detects packages vulnerable to dependency confusion attacks across multiple ecosystems, generates proof-of-concept packages with modular payloads, and produces detailed reports — all from a single CLI.

Installation

pip install depraptor

Quick Start

# Interactive mode — guided step-by-step workflow
depraptor scan ./my-project

# Scan with explicit payload and callback
depraptor scan ./my-project --payload webhook --callback https://webhook.site/xxx

# Scan a GitHub repo
depraptor scan https://github.com/org/repo

# Scan an entire GitHub org
depraptor scan org:stripe

# Scan from a list of repo URLs
depraptor scan list:repos.txt

# Scan from a list of local paths
depraptor scan paths:targets.txt

# Dry-run with autopublish (no actual upload)
depraptor scan ./my-project --autopublish --simulate

# Check environment
depraptor doctor

CLI Reference

depraptor scan TARGET [OPTIONS]
Flag Short Description
--payload -p Payload type: system_info | webhook | discord | interactsh | ci_env_dump | custom
--callback -c Callback URL for webhook/discord/interactsh payloads
--threads -t Registry check threads (default: 10)
--output -o Output directory (default: ./results)
--repo-dir Directory for cloned repos (default: ./repos)
--autopublish Publish PoC packages after generation (requires confirmation)
--simulate Dry-run — build PoCs but skip publishing
--secrets Run TruffleHog secret scan on the target
--github-token GitHub personal access token
--verbose -v Verbose logging to stderr

Interactive Mode

Running depraptor scan <target> with no payload flags enters interactive mode:

  1. Scan dependencies and check registries
  2. Display vulnerable packages
  3. Prompt to choose PoC payload type
  4. Prompt for callback URL (if needed)
  5. Generate PoC packages
  6. Ask if you want to publish (default: No)
  7. Safety confirmation before any publish

Payload Types

Payload Description
system_info Logs hostname, username, cwd, env vars to a local file
webhook POSTs system info as JSON to an HTTP callback URL
discord Sends a formatted message to a Discord webhook
interactsh DNS/HTTP ping to an interact.sh OOB domain
ci_env_dump Captures CI/CD tokens and secrets to a local file
custom Stub for your own payload code

Target Modes

Format Example Description
Local path ./project Scan a local directory
GitHub URL https://github.com/org/repo Clone and scan a single repo
GitHub org org:stripe Scan all public repos in an org
Repo list list:repos.txt Scan repos from a URL list file
Path list paths:targets.txt Scan multiple local paths from a file

Output Structure

results/
├── report.json          # Full JSON report
├── report.md            # Markdown report
├── dependencies.json    # All parsed dependencies
├── logs/
│   └── scan.log
└── pocs/
    └── <package-name>/
        ├── payload.py
        ├── setup.py
        ├── pyproject.toml
        └── README.md

Configuration File

Create ~/.depraptor/config.yaml to set defaults:

threads: 20
default_payload: webhook
simulate: false
npm_token: ""
pypi_token: ""
github_token: ""
verbose: false

CLI flags always override config file values.

Risk Scoring

Each vulnerable package gets a risk score from 0–10:

Factor Score
Not in public registry +5.0
Internal naming pattern (internal-, private-, etc.) +2.0
CI/CD pipeline detected +1.5
Unpinned / wildcard version +1.0
Short package name +0.5

Supported Dependency Files

Ecosystem Files
Python requirements*.txt, pyproject.toml, setup.py, Pipfile
Node.js package.json
Ruby Gemfile
Go go.mod
Rust Cargo.toml

Security Notice

This tool is intended only for authorized security testing, bug bounty programs with proper scope, and security research with explicit permission.

  • Do NOT publish PoC packages to public registries without authorization
  • Do NOT test systems you don't own or have written permission to test
  • Always follow responsible disclosure practices

Unauthorized use may be illegal. The author is not responsible for misuse.

Developer: LAKSHMIKANTHAN K (letchupkt)

Project details

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for letchupkt from gravatar.com letchupkt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: LAKSHMIKANTHAN K (letchupkt)
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

2.0.8

2.0.7

2.0.5

2.0.3

2.0.2

2.0.1

2.0.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

depraptor-2.0.8.tar.gz (28.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

depraptor-2.0.8-py3-none-any.whl (35.5 kB view details)

Uploaded Python 3

File details

Details for the file depraptor-2.0.8.tar.gz.

File metadata

  • Download URL: depraptor-2.0.8.tar.gz
  • Upload date:
  • Size: 28.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.0

File hashes

Hashes for depraptor-2.0.8.tar.gz
Algorithm Hash digest
SHA256 ce865cbc4393a61b3ab63a9bc8889fdd68b0e8c1dc9155fb505454b63d173158
MD5 60264b3f71ef8de162af32fb8da47f83
BLAKE2b-256 76bcf331c0dfb2025b54928de1421dc81be468b17278a7105d7d8ab438345f1f

See more details on using hashes here.

File details

Details for the file depraptor-2.0.8-py3-none-any.whl.

File metadata

  • Download URL: depraptor-2.0.8-py3-none-any.whl
  • Upload date:
  • Size: 35.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.0

File hashes

Hashes for depraptor-2.0.8-py3-none-any.whl
Algorithm Hash digest
SHA256 1f491182355e3a167fa9a40e35029d417207f14312667c7dd206655013959242
MD5 0d57b500ac4979441a7a3cc8b9eef091
BLAKE2b-256 75eaa222b544f378e2b81e608f8a537f323bbd4b307831f0223ca1e1695943d5

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page