SupplyShark was a SaaS platform designed to detect software supply chain vulnerabilities in real-time. It scanned thousands of packages to notify businesses of potential package hijacking vulnerabilities before an attack could occur.
While the business entity has wound down, the core technology remains a powerful example of high-scale security engineering and is now open source.
This tool was not just a prototype. I personally used the SupplyShark Engine to report critical vulnerabilities in bug bounty programs across:
- Immunefi (Crypto/Web3)
- HackerOne
- Private Disclosures
The engine successfully identified dependency confusion and package hijacking vectors in major protocols and platforms, securing thousands of dollars in bounties.
I am releasing the core engine because package hijacking remains a widespread and critical issue, especially in the modern crypto ecosystem where a single compromised dependency can lead to remote code execution (RCE) and potentially lead to the draining of user funds.
My goal is for Whitehat Hackers and Security Teams to use this tool to:
- Secure their own infrastructure against dependency attacks.
- Hunt for vulnerabilities in the wild to keep the ecosystem safe.
- supplyshark/supplyshark - The core scanning engine (Now Public).
- supplyshark/npm_poc - Proof-of-concept vectors used for internal testing.
Built by @haccer. For inquiries about the architecture or security research, please contact me directly.
