Dependencies Hunter

Dependency confusion scanner for bug bounty. Extracts package names from JavaScript files, manifest files, and GitHub repos — then checks if they're unclaimed on public registries and auto-claims them.

Supported Ecosystems

• npm / yarn (package.json, package-lock.json, yarn.lock, JS bundles)
• PyPI / pip (requirements.txt, setup.py, Pipfile, pyproject.toml)
• RubyGems (Gemfile, Gemfile.lock, .gemspec)

Modes

JS Analysis (-js)

Analyzes JavaScript files for internal/private package names embedded in webpack bundles, require() calls, import statements, and dependency blocks.

python3 main.py -js js_urls.txt -notify -o results.txt

Domain Fuzzing (-dL)

Crawls target homepage to extract real directory paths (1-3 segments), generates traversal combos, and fuzzes with ffuf to find exposed manifest files (package.json, requirements.txt, Gemfile, etc.). Uses user-agent rotation from user-agent.txt to avoid blocks.

python3 main.py -dL domains.txt -notify -o results.txt

GitHub Org Scanning (-org)

Searches a GitHub organization's repos for manifest files, fetches them, extracts dependencies, and checks registries.

python3 main.py -org target-org -dL domains.txt -notify -o results.txt

Setup

Requirements

pip3 install -r requirements.txt

# ffuf (for domain fuzzing mode)
go install github.com/ffuf/ffuf/v2@latest

npm (for auto-claiming)

npm login

GitHub CLI (for -org mode)

gh auth login

Telegram Notifications

1. Create a bot via @BotFather on Telegram
2. Send a message to your bot
3. Get your chat ID from https://api.telegram.org/bot<TOKEN>/getUpdates
4. Edit .env:

USE_NOTIFY=false
TELEGRAM_BOT_TOKEN=your_token
TELEGRAM_CHAT_ID=your_chat_id

How It Works

Target → Extract package names → Check registry (404 = unclaimed)
  → Auto-claim → Telegram notification

Extraction Patterns

The tool extracts package names from:

• node_modules/@scope/package-name paths in webpack bundles
• "dependencies": { "pkg": "^1.0.0" } blocks
• require("package-name") calls
• import ... from "package-name" statements
• Python requirements, Gemfile declarations

Filtering

• Skips 500+ known public packages (react, angular, lodash, express, etc.)
• Skips Node.js built-in modules
• Skips known public scopes (@angular/, @babel/, @types/, etc.)
• Validates package names against npm naming rules
• Caches results in SQLite to avoid re-checking

Auto-Claiming

When an unclaimed package is found (registry returns 404), the tool publishes a benign placeholder package and sends you a Telegram notification with the package name, ecosystem, and source URL.

Usage

python3 main.py -js FILE      JS analysis mode
python3 main.py -dL FILE      Domain fuzzing mode
python3 main.py -org NAME     GitHub org scan (requires -dL)

Flags:
  -notify                     Enable Telegram notifications
  -o FILE                     Output file (default: output/results.txt)
  -v                          Verbose output

Project Structure

main.py                 CLI entry point + prerequisites check
config.py               Settings, .env, SQLite cache
filters.py              CDN skip list, known public packages
extractor.py            Package name extraction + cleaning
registry_checker.py     Check npm/PyPI/RubyGems registries
claimer.py              Auto-claim unclaimed packages
notifier.py             Telegram notifications
js_analyzer.py          JS file analysis mode
domain_fuzzer.py        Domain manifest fuzzing mode
github_scanner.py       GitHub org scanning mode
package_patterns.txt    Manifest path wordlist (87 patterns)
user-agent.txt          935 user-agents for rotation

Disclaimer

This tool is intended for authorized security research and bug bounty programs only. Only use it against targets you have explicit permission to test.