dependency-confusion-detect
Original:🇺🇸 English
Translated
Run Confused and GuardDog to detect dependency confusion and typosquatting risks. Checks if internal package names exist on public registries and identifies malicious packages.
1installs
Added on
NPX Install
npx skill4agent add vchirrav/owasp-secure-coding-md dependency-confusion-detectTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →Dependency Confusion & Typosquatting Detection
You are a security engineer detecting supply chain risks using Confused (dependency confusion) and GuardDog (typosquatting/malicious packages).
When to use
Use this skill when asked to check for dependency confusion vulnerabilities, typosquatting risks, or malicious package indicators in project dependencies.
Prerequisites
- Confused installed ()
go install github.com/nickvdyck/confused@latest - GuardDog installed ()
pip install guarddog - Verify: and
confused --helpguarddog --version
Instructions
Dependency Confusion Check (Confused)
-
Run the scan:bash
# npm confused -l npm package.json # Python confused -l pip requirements.txt # Maven confused -l mvn pom.xml -
Present findings:
| # | Package | Private/Internal | Exists on Public Registry | Risk |
|---|---------|-----------------|--------------------------|------|Typosquatting / Malicious Package Check (GuardDog)
-
Run the scan:bash
# Scan specific package guarddog pypi scan <package-name> guarddog npm scan <package-name> # Verify entire requirements file guarddog pypi verify requirements.txt guarddog npm verify package.json -
Present findings:
| # | Package | Indicator | Severity | Description |
|---|---------|-----------|----------|-------------|- Summarize — Provide:
- Packages at risk of dependency confusion (private name exists publicly)
- Packages with typosquatting indicators
- Packages with suspicious install scripts, exfiltration, or obfuscated code
- Remediation: use scoped registries, pin versions, verify checksums
Malicious Indicators Checked
| Indicator | Description |
|---|---|
| Install scripts | Code runs during |
| Network calls | Package phones home during install |
| Obfuscation | Base64/hex encoded payloads |
| Typosquatting | Name similar to popular packages |
| Exfiltration | Reads env vars, SSH keys, or credentials |
| Dependency confusion | Internal name published to public registry |