OpenSource Dependency Enumeration
OpenSource Dependency Enumeration is a reconnaissance sub-technique focused on identifying and cataloging open-source libraries, frameworks, and dependencies utilized by target applications. In the reconnaissance phase, attackers systematically analyze public repositories, package manager files (like package.json, requirements.txt, build.gradle, or Gemfile), source code, and application fingerprinting to map the complete dependency tree of an application. This intelligence gathering enables attackers to pinpoint specific vulnerabilities in outdated or unpatched dependencies, evaluate the potential attack surface, and plan subsequent exploitation strategies. By examining metadata in HTTP responses, GitHub repositories, and software composition analysis (SCA) data, adversaries can identify specific versions of components that may contain known security flaws (CVEs) without directly engaging with the target systems, thus maintaining stealth during the initial phase of the attack chain.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Pin dependency versions and use private mirrors so adversaries cannot infer upgrade cadence from public registries. |
| M1036 | Account Use Policies | Require signed package uploads (Provenance/SigStore) to detect malicious enumeration or typo-squatting packages. |
Detection
Most open-source dependency enumeration is passive and external—attackers query public package registries or scrape metadata without touching enterprise infrastructure.
Detection opportunities are confined to:
- Registry provider logs (if the organisation runs a private mirror) showing bulk
npm view/pip searchrequests. - External threat-intel services that attribute mass enumeration of organisation-specific package prefixes.
- Follow-on phishing or exploit kits crafted to the precise library versions uncovered during enumeration.