Hey everyone.. During a bug bounty assessment, I discovered internal npm package names leaked via client-side source maps.. Further recon revealed an interesting scenario under the same organization scope: Some packages are publicly registered on npm.. However, several internal package names are completely unregistered (returning 404).. Example structure: u/company/widget-core -> Registered/Public u/company/widget-platform -> 404 (Unregistered) u/company/widget-header -> 404 (Unregistered) This strongly indicates a potential Dependency Confusion / Namespace Hijacking risk.. My questions are: Would registering one of the available package names with absolutely no code inside—solely to prove the namespace can be claimed—be considered a valid and ethical PoC? Or would bug bounty programs view this action as unauthorized supply-chain manipulation? I would love to hear from anyone who has dealt with a similar triage situation.. Thanks.. submitted by /u/hackaniod [link] [comments]