Skip to content
/ ghostpack Public

GhostPack is a high-performance supply chain security tool written in Go. It scans subdomains for exposed package.json and lockfiles to detect "Dependency Confusion" vulnerabilities by identifying internal packages that are missing from the public npm registry.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

byteoverride/ghostpack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
analysis.go
analysis.go
 
 
discovery.go
discovery.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
parser.go
parser.go
 
 
verification_test.go
verification_test.go
 
 

Repository files navigation

GhostPack 👻📦

GhostPack is a dependency confusion scanner written in Go. It helps security researchers and developers identify potential dependency confusion vulnerabilities by scanning subdomains for exposed package.json or yarn.lock files and cross-referencing dependencies with the public NPM registry.

Features

  • Multi-Path Discovery: Probes for dependency files in common locations (/package.json, /app/package.json, etc.).
  • Smart Parsing: Extracts dependencies from both package.json and yarn.lock.
  • Vulnerability Analysis: Checks registry.npmjs.org to identify internal packages that are unclaimed on the public registry (404 Not Found), which are susceptible to dependency confusion attacks.
  • Protocol Agnostic: Automatically handles subdomains without protocols by defaulting to http://.
  • Concurrent Scanning: Highly parallelized execution with a configurable worker pool to prevent IP bans.
  • Secure Custom Headers: Supports custom headers (e.g., Authorization tokens) that are safely scoped only to the target domain scans and are never leaked to the NPM registry.

Installation

Using Go Install (Recommended).

go install github.com/byteoverride/ghostpack@latest

Usage

GhostPack reads a list of subdomains from stdin and outputs results to stdout.

Basic Scan

cat subdomains.txt | ghostpack

Advanced Usage

# Scan with 50 concurrent workers and custom headers
cat subdomains.txt | ./ghostpack -w 50 -H "Authorization: Bearer <token>" -H "Cookie: session=123"

# Scan a single target with verbose output
./ghostpack -u https://example.com -v

Options

Flag Description Default
-w Number of concurrent workers 20
-u Single target URL/Domain to scan None
-v Enable verbose output False
-H Custom header (can be used multiple times) None

Output Format

  • [FOUND]: A dependency file was discovered.
  • [SAFE]: The package exists on the public NPM registry.
  • [VULNERABLE]: The package returns a 404 on the public NPM registry, indicating it may be an internal package susceptible to substitution.
[FOUND] example.com | Found https://example.com/package.json
[SAFE] example.com | https://example.com/package.json | Package: react
[VULNERABLE] example.com | https://example.com/package.json | Package: @internal/secret-pkg

Disclaimer

This tool is for educational and authorized security testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. The developer assumes no liability and is not responsible for any misuse or damage caused by this program.

License

MIT License

About

GhostPack is a high-performance supply chain security tool written in Go. It scans subdomains for exposed package.json and lockfiles to detect "Dependency Confusion" vulnerabilities by identifying internal packages that are missing from the public npm registry.

Topics

go bugbounty

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages