Phantom Dependencies: Uncovering Supply Chain Blind Spots Your SCA Will Never Find

Suchith Narayan&Hariprasad Pujari

Staff Security Engineer @ Razorpay

LinkedInView Profile
Suchith Narayan

Talk Abstract

The software supply chain security landscape operates on a dangerous assumption — that Software Composition Analysis (SCA) tools, by parsing lockfiles like package-lock.json, go.sum, or requirements.txt, produce a complete and accurate Software Bill of Materials. They don't. Lockfiles are a point-in-time artifact of declared intent, not a reflection of what's actually executing in your build pipelines, container images, or production clusters. There is a big gap when it comes to workflows like GitHub Actions. The gap between the two is where real supply chain attacks live — and where current tooling is blind. This is how a lot of companies were affected by Shai-Hulud.

This research systematically maps and exploits three distinct dependency ingestion vectors that fall entirely outside the lockfile model, producing what we term Phantom Dependencies — components that are fetched, executed, and trusted by your infrastructure but are invisible to every major SCA scanner on the market.

About the Speakers

Suchith Narayan

Suchith Narayan

Staff Security Engineer @ Razorpay

Suchith is a Staff Security Engineer at Razorpay, where he works across AI Security, Supply Chain Security, CI/CD Security, and Application Security. He is an active open-source contributor who builds and maintains security tools that the community can use and build upon.

When he is not breaking (or fixing) things at work, he is likely on stage somewhere. His past speaking engagements include OWASP AppSec Days, C0c0n 2024 & 2025, Rootconf, Null, BSides Delhi, and the Accel Cybersecurity Summit, amongst others.

LinkedInView Profile
Hariprasad Pujari

Hariprasad Pujari

Lead Security Engineer at Razorpay

Hariprasad is a Lead Security Engineer at Razorpay and an IIT Kharagpur alumnus, specializing in building robust security tooling and developing custom, in-house solutions to safeguard critical infrastructure.

His core focus areas include AI security, automating vulnerability management, and integrating security seamlessly into CI/CD pipelines using GitHub Actions. A strong advocate for the &quots;shift-left&quots; philosophy, he is dedicated to addressing vulnerabilities early in the development lifecycle to enhance the overall organizational security posture.

Hariprasad is an active contributor to the cybersecurity community and a returning speaker, having previously presented at c0c0n (2024, 2025) and the BSides Bangalore quarterly meet-up.

LinkedInView Profile