Depi’s 9M Upstream Security Platform: How a Teenage Hacker Turned Bug Bounty Mastery Into a Supply Chain-Killing Machine

Listen to this Post

Featured Image

Introduction:

The software supply chain has become the Achilles’ heel of modern enterprises, with attacks like SolarWinds proving that front-door defenses are no longer enough. Modern breaches are increasingly staged in the upstream layers of the codebase—hidden within open-source libraries, CI/CD pipelines, and third‑party dependencies. From this battleground, French startup Depi (formerly Lupin & Holmes) has emerged, armed with an offensive security platform that maps and stress‑tests real attack paths before criminals can exploit them.

Learning Objectives:

  • Understand the core mechanics of software supply chain attacks and why upstream security is critical.
  • Learn how to enumerate dependencies and detect dependency confusion vulnerabilities using open‑source tools.
  • Implement practical hardening techniques for GitHub Actions, npm, and Python ecosystems.

You Should Know:

  1. Mapping the Attack Surface: Dependency Confusion & Enumeration

At the heart of Depi’s offensive strategy lies the ability to uncover hidden relationships between your code, its dependencies, and the upstream maintainers. A key technique in this space is dependency confusion, where an attacker uploads a malicious package with the same name as an internal private package to a public registry, tricking the build system into pulling the attacker‑controlled version.

Step‑by‑step guide: Enumerating packages and detecting confusion risks

Step 1: Enumerate all dependencies used by a target application.
– Linux / macOS: Use `grep` and `jq` to extract package names from lockfiles.

 Extract npm package names from package-lock.json
cat package-lock.json | jq -r '.packages | keys[]' > npm_packages.txt
 Extract Python dependencies from requirements.txt
grep -oP '^[a-zA-Z0-9_-]+' requirements.txt > python_packages.txt

– Windows (PowerShell):

 Extract npm package names using ConvertFrom-Json
(Get-Content package-lock.json | ConvertFrom-Json).packages.PSObject.Properties.Name > npm_packages.txt
 Extract Python dependencies
Select-String -Path requirements.txt -Pattern '^[a-zA-Z0-9_-]+' | ForEach-Object { $_.Matches.Value } > python_packages.txt

Step 2: Check for publicly accessible package manifests.

Fuzz common endpoints to find exposed `package.json` or `requirements.txt` files:

ffuf -u https://target.com/FUZZ -w /path/to/wordlist.txt -e .json,.txt -c -ac

Step 3: Hunt through Git history for forgotten dependencies.

 Dump all files from all commits (using tomnomnom's git-dump)
git clone https://github.com/tomnomnom/dotfiles.git
cp dotfiles/scripts/git-dump /usr/local/bin/
chmod +x /usr/local/bin/git-dump
cd /path/to/target/repo
git-dump | grep -E '(package.json|requirements.txt|pom.xml)'

Step 4: Verify if a dependency is vulnerable to confusion.
Search for the package name on public registries (npm, PyPI, RubyGems) and check if a public version with a higher version number exists. Depi automates this across thousands of dependencies, but you can manually test with:

 Check npm for a package named 'internal-auth'
npm view internal-auth versions
 Check PyPI
pip index versions internal-auth

2. Defending the CI/CD Pipeline: Hardening GitHub Actions

A compromised CI/CD pipeline can lead to catastrophic supply chain breaches. Depi’s platform continuously monitors pipeline definitions and registry interactions to detect misconfigurations before they are exploited.

Step‑by‑step guide: Hardening GitHub Actions workflows

Step 1: Audit existing workflows for over‑privileged tokens.

 Find all workflow files
find .github/workflows -name '.yml' -o -name '.yaml'
 Check for GITHUB_TOKEN permissions
grep -n 'permissions:' .github/workflows/.yml

Set the minimal required permissions explicitly:

permissions:
contents: read  Only read code, never write
pull-requests: write  If needed for comments

Step 2: Pin actions to full‑length SHAs instead of version tags.

This prevents tag‑poisoning attacks. Example:

 Instead of:
- uses: actions/checkout@v3

Use:
- uses: actions/checkout@c85c95e3d7251b7c2adf5f6d68c6e4b7e4e5a6c8

Step 3: Restrict which branches can trigger workflows.

on:
push:
branches:
- main
- develop

Step 4: Enable GitHub’s dependency review and supply chain features.
– Navigate to Settings → Code security and analysis and enable Dependency graph, Dependency review, and Secret scanning.
– Use `actions/dependency-review-action` in your workflow:

- name: Dependency Review
uses: actions/dependency-review-action@v4

Step 5: Scan your own container images before deployment.

 Using Trivy (open‑source)
trivy image your-app:latest --severity CRITICAL
 Using Grype
grype your-app:latest

3. OS-Level Security for Build Servers

Build servers (Jenkins, GitLab Runners) are prime targets for upstream compromise. The following commands help lock down Linux and Windows build agents.

Linux (Ubuntu/Debian)

 Restrict package installations to only signed packages
apt-get install --allow-unauthenticated  Never use this flag

Harden SSH configuration
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
systemctl restart sshd

Set immutable flag on critical build scripts
chattr +i /usr/local/bin/build-script.sh

Monitor file integrity with AIDE
apt-get install aide
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
aide --check

Windows (PowerShell as Admin)

 Restrict execution policy for build scripts
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope LocalMachine

Enable Windows Defender application guard for build processes
Add-WindowsCapability -Name "AppGuard" -Online

Monitor file changes with Sysmon
 Install Sysmon from Microsoft
.\Sysmon64.exe -accepteula -i sysmon-config.xml

Block unsigned executables from running in build directories
$rule = New-Object -TypeName Microsoft.PowerShell.ExecutionPolicy -ArgumentList "Restricted"
Set-ExecutionPolicy -ExecutionPolicy $rule -Scope Process

4. Registry Hardening: npm and PyPI

Attackers often compromise internal registries or trick builds into pulling from public registries. Depi validates registry authenticity and package provenance.

Step‑by‑step guide: Hardening npm and PyPI configurations

npm

 Force scoped packages to come only from your private registry
echo "@mycompany:registry=https://npm.pkg.github.com/" >> .npmrc

Enable package provenance (npm 9.5+)
npm publish --provenance

Disable `npm install` from running pre/post install scripts automatically (except for trusted packages)
npm install --ignore-scripts

PyPI (Python)

 Use a private index URL
pip config set global.index-url https://pypi.yourcompany.com/simple/
 And use the public index only as a fallback
pip config set global.extra-index-url https://pypi.org/simple/

Verify package integrity using hashes
 Download a package and compare its hash to the official one
pip download requests==2.28.1 --no-deps
sha256sum requests-2.28.1-py3-none-any.whl
 Compare with the hash from PyPI

5. Upstream Maintainer Security Analysis

Depi goes beyond code scanning by assessing the security posture of the maintainers who control the libraries you depend on.

Step‑by‑step guide: Manual maintainer security assessment

Step 1: Identify maintainers of critical dependencies.

 For npm, use `npm view` to list maintainers
npm view lodash maintainers
 For PyPI, scrape the project page or use `pip show`
pip show requests | grep -i maintainer

Step 2: Check if maintainers use 2FA on their accounts.
– On GitHub, visit `https://github.com/

` and look for the “Two‑factor authentication” badge.
- On GitLab, check user profile → Security.

Step 3: Use `curl` and `jq` to query GitHub API for maintainer activity and 2FA status.
[bash]
 Get user's 2FA status (requires OAuth token)
curl -H "Authorization: token YOUR_GITHUB_TOKEN" \
https://api.github.com/users/[bash] | jq '.two_factor_authentication'

Step 4: Monitor for anomalous package updates.

Set up a simple cron job that checks for new versions and logs the maintainer:

!/bin/bash
 Check for new versions of a specific package on npm
current_version=$(npm view lodash version)
if [ "$current_version" != "$last_known_version" ]; then
echo "New version $current_version published by $(npm view lodash maintainers[bash].name)" >> maintainer_changes.log
fi

What Undercode Say:

  • Key Takeaway 1: Upstream security is not just about scanning dependencies; it requires mapping the entire attack surface—from source to build to package—and continuously stress‑testing those paths from an offensive perspective. Depi’s approach of “thinking like a hacker” is the only way to catch vulnerabilities that traditional SBOM and SCA tools miss.
  • Key Takeaway 2: The best defense is a layered, proactive one. Hardening your CI/CD pipelines, pinning dependencies, and auditing maintainer security are all critical steps, but they must be combined with real‑time, attacker‑simulated validation. Depi’s ability to find a critical Rollup vulnerability days before it became public and alert Ledger in time to contain the blast radius proves that upstream security is no longer optional—it’s a business imperative.

Prediction:

The software supply chain attack surface will continue to expand as organizations accelerate adoption of AI‑generated code and third‑party components. In the next 24 months, we will see a new wave of “dependency confusion 2.0” attacks targeting not just package names but also AI model dependencies and configuration as code (CaC) repositories. Platforms like Depi, which combine real‑world bug bounty intelligence with automated attack path mapping, will become as essential as traditional firewalls. Expect upstream security to evolve into a dedicated product category, with acquisitions from major cloud providers (AWS, Azure, GCP) and a focus on real‑time, AI‑driven threat correlation. The shift from reactive patching to proactive, offensive security will redefine how enterprises build and deploy software, making “shifting left” a reality rather than a slogan.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Grateful To – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky