- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
2.2 KiB
name, description, domain, subdomain, tags, version, author, license
| name | description | domain | subdomain | tags | version | author | license | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| performing-supply-chain-attack-simulation | Simulate and detect software supply chain attacks including typosquatting detection via Levenshtein distance, dependency confusion testing against private registries, package hash verification with pip, and known vulnerability scanning with pip-audit. | cybersecurity | application-security |
|
1.0 | mahipal | Apache-2.0 |
Performing Supply Chain Attack Simulation
Overview
Software supply chain attacks exploit trust in package registries through typosquatting (registering names similar to popular packages), dependency confusion (publishing higher-version public packages matching private names), and compromised package distribution. This skill detects these attack vectors by computing Levenshtein distance between package names and popular PyPI packages, verifying package integrity via SHA-256 hash comparison, scanning for known CVEs with pip-audit, and testing dependency resolution order for confusion vulnerabilities.
Prerequisites
- Python 3.9+ with
pip-audit,Levenshtein,requests - Access to PyPI JSON API (https://pypi.org/pypi/{package}/json)
- Network access for package metadata retrieval
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Key Detection Areas
- Typosquatting — compare package names against top PyPI packages using edit distance thresholds
- Dependency confusion — check if internal package names exist on public PyPI with higher version numbers
- Hash verification — download packages and verify SHA-256 digests match published hashes
- Vulnerability scanning — audit installed packages against OSV and PyPA advisory databases
- Metadata anomalies — flag packages with suspicious author emails, missing homepages, or very recent first upload dates
Output
JSON report with risk scores per package, detected attack vectors, hash verification results, and CVE findings.