Dependency confusion — 4 internal npm package names claimable on public registry

While reviewing the JavaScript bundles of a financial platform, I found references to 4 internal npm packages that are not registered on the public npm registry. The build system appears to resolve from both internal and public registries. If an attacker registers these package names on npmjs.com with a higher version number, the build system would pull the attacker-controlled package instead. This is a classic dependency confusion / substitution attack. I have confirmed the package names are available on npm. Need a collaborator who has successfully submitted dependency confusion findings before to help structure the report and PoC.