Detect npm packages compromised in the Shai-Hulud 2.0 supply chain attack (Nov 2025). Scans for 790+ malicious packages, suspicious scripts, TruffleHog activity, SHA1HULUD runners, and secrets exfiltration. GitHub Action with SARIF support.

Verify PyPI package attestations and improve Python supply-chain security

JavaScript implementation of The Update Framework (TUF)

CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

OPA Gatekeeper provider for GitHub Artifact Attestations

Demo repository showcasing how to use reusable workflows to build artifact attestations

Autonomous “Shai-Hulud” engine that ingests malicious NPM package advisories from OSV, tracks versions and metadata, and maintains a continuously updated threat intelligence database.

Caught you. — Runtime network surveillance for PyPI and npm packages.

oh supply chain my supply chain — a multi-ecosystem package malware scanner for PyPI, npm, crates.io, and Go. Static analysis plus a sandbox detonation engine, with pluggable detection content (open-core; AGPL engine, Apache-2.0 signatures).

Secure your dependencies before they land in production. secure-packages audits package source, reviews new-version diffs, and blocks risky updates in CI/CD, starting with PyPI.

Supply-chain security scanner for npm packages. Detect malicious code, typosquatting, and compromised dependencies before you install them.

World-class security standard for npm packages. Automated threat detection, supply chain analysis, and 0-100 security scores. Because in 2025, we can do better than the Wild West

A beautiful, zero-config visual CVE dashboard for npm & Python. One command: npx osv-ui. 100% Local & Secure.

Zero-dependency supply-chain security proxy for npm, PyPI, and Cargo. Scores packages against attack patterns at install time.

Supply-chain security and dependency analysis tool for the npm ecosystem

VirusTotal for AI packages. ai-trust check <pkg> returns a 0-100 trust score from the OpenA2A Registry trust graph, covering security scans, advisories, and dependency risk. For MCP servers, A2A agents, skills, and LLM packages.

Scans the real npm publish tarball before release and blocks leaks like source maps, secrets, internal files, and suspicious oversized artifacts.

Open-source CVE lookup tool for software packages. Check vulnerabilities, CVSS scores, version age, and latest releases across 8 ecosystems using OSV.dev.

Search all repositories across a github organization and looks for nodejs dependencies

Node.js + TypeScript con pnpm, control estricto de dependencias y protección contra ataques de cadena de suministro.