Dependency Confusion Vulnerability Scanner and PoC Generator

Navigation

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for letchupkt from gravatar.com letchupkt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: LAKSHMIKANTHAN K (letchupkt)
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

DepRaptor

Dependency Confusion Vulnerability Scanner & PoC Framework

Developer: LAKSHMIKANTHAN K (letchupkt)
Version: 2.0.0
License: MIT

________                  __________                  __
\______ \    ____  ______ \______   \_____   ______ _/  |_  ____ _______
 |    |  \ _/ __ \ \____ \ |       _/\__  \  \____ \\   __\/  _ \\_  __ \
 |    `   \\  ___/ |  |_> >|    |   \ / __ \_|  |_> >|  | (  <_> )|  | \/
/_______  / \___  >|   __/ |____|_  /(____  /|   __/ |__|  \____/ |__|
        \/      \/ |__|           \/      \/ |__|

Dependency Confusion Scanner
Developer: LAKSHMIKANTHAN K (letchupkt)

What is DepRaptor?

DepRaptor is a production-grade dependency confusion vulnerability scanner built for security researchers and bug bounty hunters. It detects packages vulnerable to dependency confusion attacks across multiple ecosystems, generates proof-of-concept packages with modular payloads, and produces detailed reports — all from a single CLI.

Installation

pip install depraptor

Quick Start

# Interactive mode — guided step-by-step workflow
depraptor scan ./my-project

# Scan with explicit payload and callback
depraptor scan ./my-project --payload webhook --callback https://webhook.site/xxx

# Scan a GitHub repo
depraptor scan https://github.com/org/repo

# Scan an entire GitHub org
depraptor scan org:stripe

# Scan from a list of repo URLs
depraptor scan list:repos.txt

# Scan from a list of local paths
depraptor scan paths:targets.txt

# Dry-run with autopublish (no actual upload)
depraptor scan ./my-project --autopublish --simulate

# Check environment
depraptor doctor

CLI Reference

depraptor scan TARGET [OPTIONS]
Flag Short Description
--payload -p Payload type: system_info | webhook | discord | interactsh | ci_env_dump | custom
--callback -c Callback URL for webhook/discord/interactsh payloads
--threads -t Registry check threads (default: 10)
--output -o Output directory (default: ./results)
--repo-dir Directory for cloned repos (default: ./repos)
--autopublish Publish PoC packages after generation (requires confirmation)
--simulate Dry-run — build PoCs but skip publishing
--secrets Run TruffleHog secret scan on the target
--github-token GitHub personal access token
--verbose -v Verbose logging to stderr

Interactive Mode

Running depraptor scan <target> with no payload flags enters interactive mode:

  1. Scan dependencies and check registries
  2. Display vulnerable packages
  3. Prompt to choose PoC payload type
  4. Prompt for callback URL (if needed)
  5. Generate PoC packages
  6. Ask if you want to publish (default: No)
  7. Safety confirmation before any publish

Payload Types

Payload Description
system_info Logs hostname, username, cwd, env vars to a local file
webhook POSTs system info as JSON to an HTTP callback URL
discord Sends a formatted message to a Discord webhook
interactsh DNS/HTTP ping to an interact.sh OOB domain
ci_env_dump Captures CI/CD tokens and secrets to a local file
custom Stub for your own payload code

Target Modes

Format Example Description
Local path ./project Scan a local directory
GitHub URL https://github.com/org/repo Clone and scan a single repo
GitHub org org:stripe Scan all public repos in an org
Repo list list:repos.txt Scan repos from a URL list file
Path list paths:targets.txt Scan multiple local paths from a file

Output Structure

results/
├── report.json          # Full JSON report
├── report.md            # Markdown report
├── dependencies.json    # All parsed dependencies
├── logs/
│   └── scan.log
└── pocs/
    └── <package-name>/
        ├── payload.py
        ├── setup.py
        ├── pyproject.toml
        └── README.md

Configuration File

Create ~/.depraptor/config.yaml to set defaults:

threads: 20
default_payload: webhook
simulate: false
npm_token: ""
pypi_token: ""
github_token: ""
verbose: false

CLI flags always override config file values.

Risk Scoring

Each vulnerable package gets a risk score from 0–10:

Factor Score
Not in public registry +5.0
Internal naming pattern (internal-, private-, etc.) +2.0
CI/CD pipeline detected +1.5
Unpinned / wildcard version +1.0
Short package name +0.5

Supported Dependency Files

Ecosystem Files
Python requirements*.txt, pyproject.toml, setup.py, Pipfile
Node.js package.json
Ruby Gemfile
Go go.mod
Rust Cargo.toml

Security Notice

This tool is intended only for authorized security testing, bug bounty programs with proper scope, and security research with explicit permission.

  • Do NOT publish PoC packages to public registries without authorization
  • Do NOT test systems you don't own or have written permission to test
  • Always follow responsible disclosure practices

Unauthorized use may be illegal. The author is not responsible for misuse.

Developer: LAKSHMIKANTHAN K (letchupkt)

Project details

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for letchupkt from gravatar.com letchupkt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: LAKSHMIKANTHAN K (letchupkt)
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

2.0.8

2.0.7

2.0.5

2.0.3

2.0.2

2.0.1

This version

2.0.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

depraptor-2.0.0.tar.gz (26.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

depraptor-2.0.0-py3-none-any.whl (33.2 kB view details)

Uploaded Python 3

File details

Details for the file depraptor-2.0.0.tar.gz.

File metadata

  • Download URL: depraptor-2.0.0.tar.gz
  • Upload date:
  • Size: 26.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.0

File hashes

Hashes for depraptor-2.0.0.tar.gz
Algorithm Hash digest
SHA256 c833e3ff793ae6fe89026f316148fbde0220f71a13b99a66f1100636990efadb
MD5 eca5b1c18383c6c887de3dd2c6167e0d
BLAKE2b-256 d52efedc8f6d46d9ea29a02a1d1a5f09c4f2f620f6e599881e111ecaaaf3869e

See more details on using hashes here.

File details

Details for the file depraptor-2.0.0-py3-none-any.whl.

File metadata

  • Download URL: depraptor-2.0.0-py3-none-any.whl
  • Upload date:
  • Size: 33.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.0

File hashes

Hashes for depraptor-2.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9d5289442e3bc23d71bcd499cc5c91864f9e143e7547674f7a13e79d9ea39802
MD5 a118712485e6540f44225ce06947a23f
BLAKE2b-256 50749f5429b39018e307603f7164d3c2cd1171abcaea5531663933d2eea818b3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page