Dependency Confusion Vulnerability Scanner and PoC Generator

Navigation

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for letchupkt from gravatar.com letchupkt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: LAKSHMIKANTHAN K (letchupkt)
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

DepRaptor

Dependency Confusion Vulnerability Scanner & PoC Framework

Developer: LAKSHMIKANTHAN K (letchupkt)
Version: 2.0.0
License: MIT

________                  __________                  __
\______ \    ____  ______ \______   \_____   ______ _/  |_  ____ _______
 |    |  \ _/ __ \ \____ \ |       _/\__  \  \____ \\   __\/  _ \\_  __ \
 |    `   \\  ___/ |  |_> >|    |   \ / __ \_|  |_> >|  | (  <_> )|  | \/
/_______  / \___  >|   __/ |____|_  /(____  /|   __/ |__|  \____/ |__|
        \/      \/ |__|           \/      \/ |__|

Dependency Confusion Scanner
Developer: LAKSHMIKANTHAN K (letchupkt)

What is DepRaptor?

DepRaptor is a production-grade dependency confusion vulnerability scanner built for security researchers and bug bounty hunters. It detects packages vulnerable to dependency confusion attacks across multiple ecosystems, generates proof-of-concept packages with modular payloads, and produces detailed reports — all from a single CLI.

Installation

pip install depraptor

Quick Start

# Interactive mode — guided step-by-step workflow
depraptor scan ./my-project

# Scan with explicit payload and callback
depraptor scan ./my-project --payload webhook --callback https://webhook.site/xxx

# Scan a GitHub repo
depraptor scan https://github.com/org/repo

# Scan an entire GitHub org
depraptor scan org:stripe

# Scan from a list of repo URLs
depraptor scan list:repos.txt

# Scan from a list of local paths
depraptor scan paths:targets.txt

# Dry-run with autopublish (no actual upload)
depraptor scan ./my-project --autopublish --simulate

# Check environment
depraptor doctor

CLI Reference

depraptor scan TARGET [OPTIONS]
Flag Short Description
--payload -p Payload type: system_info | webhook | discord | interactsh | ci_env_dump | custom
--callback -c Callback URL for webhook/discord/interactsh payloads
--threads -t Registry check threads (default: 10)
--output -o Output directory (default: ./results)
--repo-dir Directory for cloned repos (default: ./repos)
--autopublish Publish PoC packages after generation (requires confirmation)
--simulate Dry-run — build PoCs but skip publishing
--secrets Run TruffleHog secret scan on the target
--github-token GitHub personal access token
--verbose -v Verbose logging to stderr

Interactive Mode

Running depraptor scan <target> with no payload flags enters interactive mode:

  1. Scan dependencies and check registries
  2. Display vulnerable packages
  3. Prompt to choose PoC payload type
  4. Prompt for callback URL (if needed)
  5. Generate PoC packages
  6. Ask if you want to publish (default: No)
  7. Safety confirmation before any publish

Payload Types

Payload Description
system_info Logs hostname, username, cwd, env vars to a local file
webhook POSTs system info as JSON to an HTTP callback URL
discord Sends a formatted message to a Discord webhook
interactsh DNS/HTTP ping to an interact.sh OOB domain
ci_env_dump Captures CI/CD tokens and secrets to a local file
custom Stub for your own payload code

Target Modes

Format Example Description
Local path ./project Scan a local directory
GitHub URL https://github.com/org/repo Clone and scan a single repo
GitHub org org:stripe Scan all public repos in an org
Repo list list:repos.txt Scan repos from a URL list file
Path list paths:targets.txt Scan multiple local paths from a file

Output Structure

results/
├── report.json          # Full JSON report
├── report.md            # Markdown report
├── dependencies.json    # All parsed dependencies
├── logs/
│   └── scan.log
└── pocs/
    └── <package-name>/
        ├── payload.py
        ├── setup.py
        ├── pyproject.toml
        └── README.md

Configuration File

Create ~/.depraptor/config.yaml to set defaults:

threads: 20
default_payload: webhook
simulate: false
npm_token: ""
pypi_token: ""
github_token: ""
verbose: false

CLI flags always override config file values.

Risk Scoring

Each vulnerable package gets a risk score from 0–10:

Factor Score
Not in public registry +5.0
Internal naming pattern (internal-, private-, etc.) +2.0
CI/CD pipeline detected +1.5
Unpinned / wildcard version +1.0
Short package name +0.5

Supported Dependency Files

Ecosystem Files
Python requirements*.txt, pyproject.toml, setup.py, Pipfile
Node.js package.json
Ruby Gemfile
Go go.mod
Rust Cargo.toml

Security Notice

This tool is intended only for authorized security testing, bug bounty programs with proper scope, and security research with explicit permission.

  • Do NOT publish PoC packages to public registries without authorization
  • Do NOT test systems you don't own or have written permission to test
  • Always follow responsible disclosure practices

Unauthorized use may be illegal. The author is not responsible for misuse.

Developer: LAKSHMIKANTHAN K (letchupkt)

Project details

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for letchupkt from gravatar.com letchupkt

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: LAKSHMIKANTHAN K (letchupkt)
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

2.0.8

This version

2.0.7

2.0.5

2.0.3

2.0.2

2.0.1

2.0.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

depraptor-2.0.7.tar.gz (28.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

depraptor-2.0.7-py3-none-any.whl (35.5 kB view details)

Uploaded Python 3

File details

Details for the file depraptor-2.0.7.tar.gz.

File metadata

  • Download URL: depraptor-2.0.7.tar.gz
  • Upload date:
  • Size: 28.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.0

File hashes

Hashes for depraptor-2.0.7.tar.gz
Algorithm Hash digest
SHA256 257a1d5050ab8cb82a2778e51bc9753bd77d55f8f5cde7d21f1b6c9f774603d3
MD5 acb1b8951aa8c226adf91e6347bfb699
BLAKE2b-256 104a86bd96b1928fca57e78be1c6bad51838d6f8dc239f00cdb5408aa0758fcb

See more details on using hashes here.

File details

Details for the file depraptor-2.0.7-py3-none-any.whl.

File metadata

  • Download URL: depraptor-2.0.7-py3-none-any.whl
  • Upload date:
  • Size: 35.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.0

File hashes

Hashes for depraptor-2.0.7-py3-none-any.whl
Algorithm Hash digest
SHA256 d12c01a7cd2e6e7d0aafef6bebc522154ec6eb73aaf7f68e6b6f364adb5133b6
MD5 41d797d6d036628efa54539a09971d5c
BLAKE2b-256 accc1b3ac6af081284096de24fedb3ea60cb6a6ef533056a280a258f326acd56

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page