🛡️ Advanced Chrome Extension to detect unpublished, removed, or suspicious dependencies across GitHub repositories.
Lightweight • Fast • Security-Focused • Zero Tracking
PACO scanning a GitHub repository and detecting an unpublished dependency that could potentially lead to a dependency confusion vulnerability.
PACO has been used to identify real dependency confusion vulnerabilities in bug bounty programs.
Findings discovered using PACO resulted in the following rewards:
- 💰 $625 – Cloudflare Bug Bounty
- 💰 $350 – Cloudflare Bug Bounty
These findings demonstrate how supply-chain vulnerabilities still exist in modern software ecosystems.
PACO helps security researchers and developers identify such risks before attackers do.
Sidhanta Palei (@r00tSid)
Security Researcher | Bug Bounty Hunter
Dependency Confusion (Substitution Attack) is a supply-chain vulnerability where an attacker publishes a malicious package with the same name as an internal/private dependency.
If the build system prefers public registries, it may install the malicious package instead.
This can result in:
- Remote Code Execution
- Data Exfiltration
- CI/CD Compromise
- Supply Chain Attacks
PACO helps identify such risks early.
PACO (Package Confuser) is a Chrome Extension designed to help developers and security researchers identify:
- 🔴 Unpublished packages
- ❌ Non-existent dependencies
⚠️ Potential dependency confusion risks- 📦 Broken or removed packages
It scans public GitHub repositories and validates dependencies directly against official package registries.
PACO has evolved significantly from its initial release.
PACO now automatically detects ecosystem based on:
Gemfile→ Rubypackage.json→ NPMrequirements.txt→ Python
Works on:
- Repository pages
- Blob/file pages
- GitHub search result pages
Detection priority:
- URL-based detection
- Repository file fallback
One-click SAVE SCAN RESULTS button downloads a structured JSON report containing:
- Target URL
- Ecosystem
- Total dependencies scanned
- Total findings
- Timestamp
- Detailed findings list
- Prevents duplicate dependency scans
- Prevents duplicate findings
- Optimized request queue for performance
Fully supports scanning directly from GitHub search result pages.
Ecosystem detection is now context-aware and URL-driven.
- Open Google Chrome
- Navigate to chrome://extension
- Enable Developer Mode
- Click Load Unpacked
- Select the PACO project folder
- Done ✅
- Visit:
- A GitHub repository
- A dependency file (
Gemfile,package.json,requirements.txt) - A GitHub search results page
-
Click the PACO extension icon
-
Click INITIATE SCAN
-
PACO will:
- Detect ecosystem automatically
- Extract dependencies
- Query official registries
- Flag high-risk packages
- Click SAVE SCAN RESULTS to download JSON report.
| Ecosystem | Files Scanned | Registry |
|---|---|---|
| Node.js | package.json |
registry.npmjs.org |
| Ruby | Gemfile |
rubygems.org |
| Python | requirements.txt |
pypi.org |
More ecosystems coming soon: Go Modules, Cargo, NuGet, Maven
Detects repository context and extracts dependency files.
- JSON parsing (NPM)
- Regex-based gem parsing (Ruby)
- Line-based parsing (Python)
Queries official registries to detect:
- ✅ Published
- ❌ Not Found
- 🔴 Unpublished
- Deduplicates dependencies
- Handles concurrency efficiently
- Provides clean output
{
"timestamp": "2026-02-12T18:32:11Z",
"target": "https://github.com/org/repo",
"ecosystem": "RUBY",
"totalDependencies": 14,
"totalFindings": 1,
"findings": [
{
"name": "example-package",
"type": "ruby",
"status": "Unpublished"
}
]
}| Layer | Tech Used |
|---|---|
| Platform | Chrome Extension (Manifest V3) |
| Frontend | HTML, CSS, Vanilla JavaScript |
| Backend Logic | Fetch API, async/await, RegEx |
| Concurrency | Custom batch queue with smart throttling |
| Messaging | Chrome runtime message passing |
paco/
├── background.js # Handles fetch requests and queues
├── content.js # Scans GitHub pages for package links
├── manifest.json # Chrome extension config (Manifest V3)
├── popup.html # Extension popup UI
├── popup.js # Popup logic and messaging
├── style.css # UI styling
├── icons/ # Icon assets (128x128, etc.)
- Anurag Kumar – @anurag6240
- Sidhanta Palei – @r00tSid
- GitHub logo used under fair use (GitHub Brand Guidelines).
- This extension is not affiliated with or endorsed by GitHub.