{"id":22952110,"url":"https://github.com/xh4h/loki","last_synced_at":"2025-08-13T01:32:33.419Z","repository":{"id":42373117,"uuid":"436751508","full_name":"Xh4H/Loki","owner":"Xh4H","description":"The Dependency Confusion vulnerability scanner and autoexploitation tool to help identifying and mitigating supply chain attacks","archived":false,"fork":false,"pushed_at":"2024-02-20T13:54:55.000Z","size":110,"stargazers_count":31,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-19T02:23:01.940Z","etag":null,"topics":["attacks","chain","confusion","dependency","exploit","migitation","poc","supply","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Xh4H.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2021-12-09T20:25:33.000Z","updated_at":"2024-11-09T01:49:27.000Z","dependencies_parsed_at":"2023-01-19T22:45:38.466Z","dependency_job_id":null,"html_url":"https://github.com/Xh4H/Loki","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xh4H%2FLoki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xh4H%2FLoki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xh4H%2FLoki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xh4H%2FLoki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Xh4H","download_url":"https://codeload.github.com/Xh4H/Loki/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229721983,"owners_count":18114097,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attacks","chain","confusion","dependency","exploit","migitation","poc","supply","vulnerability-scanners"],"created_at":"2024-12-14T15:32:11.592Z","updated_at":"2024-12-14T15:32:12.257Z","avatar_url":"https://github.com/Xh4H.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n    \u003cp\u003e \u003cimg src=\"https://user-images.githubusercontent.com/20613820/195701467-fb6cb616-7708-4beb-8a2c-1f43b6e424ef.png\" alt=\"Loki\" width=\"100\"/\u003e \u003c/p\u003e\n\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003ca href=\"https://www.npmjs.org/package/@xh4h/loki\"\u003e\u003cimg src=\"https://badgen.net/npm/v/@xh4h/loki\" alt=\"npm version\"/\u003e\u003c/a\u003e\n \u003ca href=\"https://www.npmjs.org/package/@xh4h/loki\"\u003e\u003cimg src=\"https://badgen.net/npm/dt/@xh4h/loki\" alt=\"downloads\"/\u003e\u003c/a\u003e\n \u003ca href=\"https://snyk.io/test/github/xh4h/Loki\"\u003e\u003cimg src=\"https://snyk.io/test/github/xh4h/Loki/badge.svg\" alt=\"Known Vulnerabilities\"/\u003e\u003c/a\u003e\n \u003ca href=\"./SECURITY.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg\" alt=\"Responsible Disclosure Policy\" /\u003e\u003c/a\u003e\n \u003ca href=\"./LICENSE\"\u003e\u003cimg src=\"https://badgen.net/github/license/Xh4H/Loki\" alt=\"License\" /\u003e\u003c/a\u003e\n\u003c/div\u003e\n\n## About\n**Loki** helps to identify `NodeJS` projects that are vulnerable to **Dependency Confusion supply chain** attacks.\n\n**Loki** has been created with the goal of helping developers to scan their projects and identifying possible attack vectors that could take advantage of vulnerabilities in the dependency supply chain.\n\n**Loki** is a god in Norse mithology. Among other powers, he is an adept shapeshifter and people impersonator.\n## Disclaimer\n**Loki** is a defensive tool. The attack mode simply inserts a payload opening a listener service to allow the developer to connect to the compromised dependency with the sole purpose of showing the impact of a misconfigured module.\n\n## When may a Dependency Confusion supply chain attack happen?\n**Dependency Confusion** attacks may occur if:\n* A company uses a hybrid approach to download their dependencies from both their internal repositories and public repositories.\n* A developer has not properly configured a project's `npm` registry. A lightweight private npm proxy registry such as [Verdaccio](https://verdaccio.org/) can be configured.\n* A typo in the name of a dependency may lead to an untrusted dependency being downloaded from the wrong repository. Better known as typosquatting.\n* The version specified of the wanted dependency in the `package.json` file allows downloading newer versions. Having such `\"loki-this-dependency-does-not-exist\": \"^1.1.0\"` dependency allows downloading the latest version of the dependency from `1.1.0` up to, but not including, `2.0.0`. Similar interaction happens with `tilde` `~`. If a project has a hybrid setup, if the public repository `such as npmjs.org` contains a higher version compared with the private repository, the public one will be downloaded.\n* A package name has a different import name. If a junior developer, by reading the code, expects the installation name of a package used in the repository is the same as the `import`. As an example, we can have a look at the Python image processing library `OpenCV` whose import name is `cv2` but the correct `pip install` command to install it is `pip install opencv-python`.\n\n## Mitigation\n* Strict internal dependency management by configuring the private repository to never go beyond (access the public realm) when it does not contain the wanted dependency. As previously said, [Verdaccio](https://verdaccio.org/) is a nice tool to achieve this.\n* Using dependency scopes or namespaces to avoid typosquatting.\n* Using version pinning. This technique does not index whether your current dependencies have been compromised, but it will prevent from downloading newer untrusted versions.\n* Integrity checking. \n\n## Features\n\n* Dependency scanning\n* npmjs package publishing\n* Configurable reverse shell generation\n* Payload injection in vulnerable projects\n* Attack mode (PoC after successful payload injection)\n* Inspector mode (display hash of the commit that introduced the vulnerable package if the directory to scan is a git repository)\n\n## Usage\n### Prerequisite\nTo use this tool, it is expected that you have the following available in your environment:\n\n- Node.js and npm in stable and recent versions\n- The Git binary available in your path\n\n### If downloaded from the repository:\n```\n$ node bin/loki.js [options]\n```\n### Using npx:\n```\n$ npx @xh4h/loki [options]\n```\n\n### Options\n```\nOptions\n--directory   -d   Path to directory to scan\n--entrypoint  -e   Path to file to execute if directory is vulnerable (defaults to index.js)\n--inspect     -i   Enable inspector mode\n--accesstoken -a   Access token for npmjs.com\n--attack           Whether to attack the project\n--host             Host IP where the reverse shell listener is running (defaults to localhost)\n--port             Port where the reverse shell listener is running (defaults to 1456)\n```\n\n\n## Contributing\n[Contributing Guide](CONTRIBUTING.md)\n\n## License\n[MIT](LICENSE)\n\n## Credits\nBig thanks to the [Snyk](https://snyk.io/) team for their work on [snync](https://github.com/snyk-labs/snync) as **Loki** uses a modified version of their tool.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxh4h%2Floki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxh4h%2Floki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxh4h%2Floki/lists"}