GhostPack is a multi-ecosystem dependency confusion scanner written in Go. It helps security researchers and developers identify potential dependency confusion vulnerabilities by scanning subdomains for exposed dependency files and cross-referencing packages with public registries.
| Ecosystem | Files Detected | Public Registry |
|---|---|---|
| NPM | package.json, package-lock.json, yarn.lock, .npmrc |
registry.npmjs.org |
| PyPI | requirements.txt, Pipfile, pyproject.toml, setup.py, setup.cfg |
pypi.org |
| RubyGems | Gemfile, Gemfile.lock |
rubygems.org |
| Go | go.mod, go.sum |
proxy.golang.org |
- Multi-Ecosystem: Scans for NPM, PyPI, RubyGems, and Go dependency files in one pass.
- Multi-Path Discovery: Probes common locations (
/package.json,/frontend/package.json,/requirements.txt, etc.). - Smart Parsing: Extracts dependencies from
package.json(all 5 dep types),yarn.lock,package-lock.json(v1/v2/v3),requirements.txt,pyproject.toml,Pipfile,setup.py,Gemfile,Gemfile.lock,go.mod, andgo.sum. - Registry Detection: Discovers exposed
.npmrcand.pypircfiles that reveal internal registry URLs. - Content Validation: Rejects HTML error pages, validates Content-Type headers, and limits response sizes.
- Retry with Backoff: Automatic retry on 429/5xx responses with exponential backoff.
- Structured Output: JSON, JSON Lines, and CSV output for CI/CD integration.
- Proxy Support: Route scans through HTTP/SOCKS5 proxies.
- Scan Statistics: Summary of domains scanned, files found, and vulnerable packages.
go install github.com/byteoverride/ghostpack@latestcat subdomains.txt | ghostpack# Scan with 50 workers, custom headers, JSON output
cat subdomains.txt | ghostpack -w 50 -H "Authorization: Bearer <token>" --json -o results.json
# Scan a single target, only show vulnerable packages
ghostpack -u https://example.com --vulnerable-only
# Scan from file, only NPM and PyPI ecosystems
ghostpack -f domains.txt --ecosystem npm,pypi
# Scan through a proxy with verbose output
ghostpack -f domains.txt --proxy http://127.0.0.1:8080 -v| Flag | Description | Default |
|---|---|---|
-w |
Number of concurrent workers | 20 |
-u |
Single target URL/Domain to scan | — |
-f |
Read domains from file | — |
-v |
Enable verbose output | false |
-H |
Custom header (repeatable) | — |
-o |
Write output to file | stdout |
--json |
Output as JSON array | false |
--jsonl |
Output as JSON Lines (streaming) | false |
--csv |
Output as CSV | false |
--vulnerable-only |
Only show vulnerable packages | false |
--proxy |
HTTP/SOCKS5 proxy URL | — |
--timeout |
HTTP request timeout | 10s |
--registry |
NPM registry URL | registry.npmjs.org |
--scheme |
Force URL scheme (http/https) | auto |
--ecosystem |
Comma-separated ecosystems to scan | all |
[FOUND] example.com | Found https://example.com/package.json
[SAFE] example.com | https://example.com/package.json | Package: react
[VULNERABLE] example.com | https://example.com/package.json | Package: @internal/secret-pkg
[REGISTRY] example.com | https://example.com/.npmrc | Internal registry: https://npm.internal.corp (scope:@company)
ghostpack -u example.com --json -o results.json[
{
"domain": "example.com",
"file_url": "https://example.com/package.json",
"file_type": "json",
"package_name": "@internal/secret-pkg",
"status": "VULNERABLE",
"is_scoped": true,
"ecosystem": "npm"
}
]This tool is for educational and authorized security testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. The developer assumes no liability and is not responsible for any misuse or damage caused by this program.
MIT License