JSPM

Library to serialize/deserialize CycloneDX BOM with protocol buffers

Opinionated dependency linter for your git/github dependencies

A standalone package freshness guard for uv and npm.

The Node framework that owns its stack.

AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate,

Sha1-Hulud 2.0 npm supply chain attack scanner - Real-time detection using Koi.ai data

Supply-chain threat detection & response for npm & PyPI/Python

Production-grade npm supply chain vulnerability scanner. Detects 100% of 3 real May 2026 supply chain campaigns (dependency confusion, obfuscation, impersonation) with 0% false positive rate on top 1,000 npm packages.

Code-Ready Dependency Analytics JavaScript API.

Shortest sea route between any two points on Earth. TypeScript library with the Eurostat 2025 maritime network, canal/strait restrictions (Suez, Panama, Bab-el-Mandeb…), vessel-draft gating, K-shortest alternatives, multi-leg waypoints, and ETA from vesse

Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.

High-performance neural trading system with complete NAPI API (178 functions), advanced CLI with interactive mode, GPU acceleration, real-time execution, multi-agent swarm coordination, neural networks, risk management, sports betting, syndicate collabora

Run npm installs with dependency lifecycle scripts disabled, then rebuild explicitly trusted dependencies.

Scan local package-manager state for known supply-chain attack indicators.

Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered d

Trustify :: Dependency Analytics :: API

Trust verification CLI for AI packages — check MCP servers, A2A agents, AI tools, and LLMs before you install

PMG - Package Manager Guard: protect developers from malicious packages

Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked

Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs

Node.js supply-chain enforcement at install and at runtime. Policy-gated lifecycle scripts, caller-chain-attributed runtime hook.

A local AI operating system that learns your operations and runs them with Artificial Beings. Across portals, ERPs, dashboards, inboxes, spreadsheets, and PDFs. On your hardware. Your data. No APIs.

Zero-config install-time supply-chain hardening for npm, pnpm, yarn, bun, cargo, mise, uv, and bundler.

CLI client for reporting compliance events to https://kosli.com

VION Security CLI — secure-by-default installer for the VION agent across Claude Code, Blackbox AI, OpenAI Codex, and terminal.

Policy schema, resolved-rule types, normalizer, and route contracts shared across Kratex components.

CLI and GitHub Action for npm supply chain security reviews

AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, a

CLI for verifying repository integrity roots against the TIP registry.

Scan ALL Maven, npm, Yarn, Composer, Python, C#/.NET, Go & Ruby dependencies — plus embedded JARs (fat-jars/war/ear) — in a source tree ONE SHOT without mvn/python/etc — CVE (EPSS/KEV-prioritised), EOL, obsolete, outdated & licenses, with SBOM/CSAF/SARIF/

CLI tool that gates npm updates behind a configurable maturity cooldown

Sandbox npm/pnpm/yarn/bun install with bwrap (Linux) or Docker (macOS) to keep secrets in the working directory and host $HOME out of reach of postinstall scripts.

Passive external security posture analysis engine for SecURL.

MCP security server for AI coding agents. Workspace auto-exec audit (pre-open repo scan, defends against fake-interview / take-home-test malware), static code analysis, behavioral detection, pre-install guardian, AI hallucination guard, dead dependency de

Static obfuscation detector for npm lifecycle scripts — supply chain attack prevention

Standalone, browser-safe verifier for KXCO ML-DSA-65 post-quantum signed attestations and credentials — for auditors, regulators, counterparties, and anyone who needs to confirm a signature without running the full KXCO SDK.

Security-first CLI for AI-assisted development: safe package installs, dependency scanning, API flow testing, and agent task orchestration.

Security wrapper around skills add

Supply-chain firewall for AI coding tools

Node.js TypeScript CLI for discovering, staging, activating, and wiring reusable AI-agent assets across supported developer hosts.

Shoulder — local-first trust scanner for developers and AI coding agents.

Security lifecycle orchestrator — dispatches to per-stage security providers (secrets, sbom, release-gate, etc.).

Claude can sign, but never see. MCP server + CLI that keeps private keys out of the LLM's context window.

Core engine for detecting fake packages, fake imports, slopsquatting risk, and hallucinated dependencies in AI-generated code.

Provenance verification for prebuilt native addons with GitHub attestations

SLSA v1.2 provenance mapping for PEAC provenance extension

in-toto v1.0 attestation mapping for PEAC provenance extension

Security scanner for npm packages - pre and post-install scanning for malicious code, supply chain attacks, and obfuscated code

Guard package-manager installs, dependency changes, CI, and agent-run commands before suspicious project code executes.

One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.

npm dependency security scanner and package threat analysis tool

Security scanner for MCP server configurations. Finds risky tools, vulnerable packages, and suspicious servers across Claude Desktop, Cursor, VS Code, and more.

OpenAgentLock CLI — a firewall for AI coding agents. Detects local agent harnesses (Claude Code, Codex CLI, Cursor, OpenCode, Cline, Gemini CLI, Continue, Copilot), gates risky tool calls via a Go control plane, anchors decisions in a Rust Merkle ledger.

Check your npm packages against a curated list of known-compromised versions. Scans package-lock.json, pnpm-lock.yaml, and yarn.lock. Built for the AI-coding era.

npm supply chain security scanner — detect typosquatting, maintainer changes, and malicious scripts before npm install

Nexus Dependency Auditor — OSV CVE scanning, offline cache, supply chain risk analysis, and build-time blocking

Model Context Protocol server that lets AI coding assistants (Claude Code, Cursor, Windsurf) check npm packages against the Sandcheck dataset before suggesting installs.

Security Trust Report: colors@1.4.0 — 46/100 (C, caution). 2 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Bootstrap and safely evolve a shared Claude Code repo structure.

PoC package in npm for data exfil

Gadget bundle signing + verification for the ggui gadget marketplace. Ed25519 author-key path + sigstore/cosign keyless path. Pure-TS @noble crypto for Ed25519 — browser-safe.

One command. Safer dependencies.

Core lookup library for Sandcheck. Loads the curated compromised-package dataset, validates it against the JSON Schema, and resolves package@version queries against it.

Supply-chain security firewall for Node.js — resolves dependencies, scans via OSV.dev and NVD, and enforces configurable vulnerability policies before anything reaches node_modules.

Standalone, zero-dependency CLI for npm supply chain security analysis — vulnerability scanning, OpenSSF Scorecard, install-script detection, publisher history, and more.

⚡ Frisk — Catches leaked credentials and supply-chain threats in ClawHub skills before you install. 9 intel sources, 7 checks, zero phone-home.

VibeCheck Ultimate CLI — Ship with confidence. 65+ commands merged from 4 codebases: kernel infrastructure, ISL verification, Reality Mode, Agent Firewall, MCP Server.

Official TypeScript SDK for GTCX Protocol

Find installed binaries and packages tied to supply-chain attacks or AI security incidents.

A dependency-decision ledger: every dependency is recorded, explained, and reviewable in the PR — for Node.js projects and coding agents.

Cosign signing + SLSA provenance for the package.publish lifecycle stage. Signs the published artifact (keyless via Fulcio OIDC when available, or with input.config.cosignKey for key-based) and emits an intoto+json SLSA provenance document. Registers as a

Security Trust Report: @sprintsail/cli@0.2.1 — 59/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

D1337 CIPHER-OSC V3 — Elite AI Agent Framework. 106+ components. Hooks, subagents, custom commands. Underground mindset, brutal execution, sovereign protocol.

Security Trust Report: event-stream@4.0.1 — 53/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

A proof-of-concept demonstrating how npm packages can execute code during installation

SafeDep CLI: open source software supply chain security

Content-based supply-chain scanner for npm/pnpm/yarn/bun: inspects the bytes you actually installed (lifecycle hooks, obfuscated payloads, worm IOCs) instead of just matching package names against an advisory list.

MCP server exposing Attestd CVE and supply-chain checks for Claude Code and other MCP clients

Security Trust Report: rc@1.2.8 — 56/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

JS/TS supply-chain hardening CLI — scan, secure, and enforce dependency policies

HS code classifier for AI agents. Classifies products to official 6-digit tariff codes before customs declarations or duty calculations. VERIFIED verdict in one call.

Deterministic registry + integrity scanner for Model Context Protocol servers. Make MCP supply-chain boring.

Official Node.js SDK for the Tracing Platform

[THIS IS A TEST] Level-1 dependency used to introduce a transitive sub-dependency for SBOM/visibility validation.

Scans Node, Python, and AI-agent configs for indicators of compromise from npm and PyPI supply-chain attacks.

Reusable ESLint flat config and git-hook toolkit for Archipelago projects

npm registry proxy firewall — blocks vulnerable packages before they reach node_modules

Offline AST-grade npm/pnpm/yarn/bun supply-chain auditor that flags Shai-Hulud-style install-script worms. Real JavaScript AST analysis with taint approximation, IoC corpus matching, sigstore provenance verification, and baseline diffing — designed as def

npm outdated, but only for packages that have had time to age safely

Skill vetting & supply chain security for OpenClaw. Scans SKILL.md files for prompt injection, credential theft, RCE, typosquatting, and social engineering.

CLI tool to detect AI hallucinated packages and npm vulnerabilities

Security Trust Report: faker@6.6.6 — 54/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

CLI that fails if any package version in (or newly added to) a lockfile is younger than a configurable threshold on the npm registry. Defends against supply-chain attacks via a quarantine window.

Robust, framework-agnostic security middleware and monitoring SDK for distributed retail and supply chain applications

Protect yourself from npm supply chain attacks. One command sets up minimumReleaseAge cooldowns across npm, pnpm, Yarn, and Bun globally.

Official JavaScript/TypeScript client for the Attestd security risk API

Agent-first OSS repository health scanner based on CHAOSS metrics, The Open Source Way 2.0, and Inclusive Naming Initiative

Standalone supply-chain scanner (npm + PyPI) with reachability (VEX-lite) triage, powered by OSV. Part of PatchPilot.

Security Trust Report: jst@0.0.13 — 59/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: flatmap-stream@0.0.1-security — 50/100 (C, standard). 2 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Unified quarantine policy for package managers — block recently-published packages to prevent supply-chain attacks

GitHub security posture audit tools for AI agents — organization, repository, Actions, secrets, supply chain analysis via MCP

A security scanner that detects npm packages compromised by supply chain attacks, including the TanStack wave 4 attack (May 2026), the Axios attack (March 2026), and Shai-Hulud malware.

Security Trust Report: wepback@1.0.0 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Supply-chain inventory collector for package, extension, and developer-tool metadata on macOS and Linux.

Local-first security and cognitive-risk scanner for MCP tools and agent skills with ToolBOM, attack harness, and policy checks.

A TypeScript CLI and VSCode extension that scans npm dependencies for security and supply-chain risk.

Supply Chain Guard CLI - Secure front door for npm: per-session install guard, mandatory preflight, phantom detection, governance checks

One-time install git push protection with 1000+ provider fingerprints and entropy scanning for leaked tokens.

Scan dependencies for supply-chain risk: EOL versions, CVEs, abandonment, typosquatting, license compliance, and maintainer takeover patterns

Supply chain policy stamping — detect, patch, and generate CI workflows for org-wide policy adoption

ph — Scan Claude Code / Codex CLI / Gemini CLI plugins for malicious hooks, poisoned SKILL.md, and MCP tool-poisoning *before* you install. Uses your local LLM CLI as the judge — no API key required.

Intentionally suspicious npm package for evaluating supply-chain security scanners.

Tiny zero-dependency CLI that scans npm, pnpm, yarn, and bun lockfiles for packages compromised in the TanStack May 2026 npm supply-chain incident (mini Shai-Hulud). Uses the official Snyk advisory as the source of truth.

Detect and fix the mini-shai-hulud TanStack supply-chain attack (socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack)

Extract compliance evidence from git repositories, package dependencies, and CI/CD pipelines

Agentic CVE remediation platform for Node.js. Correlates threat intelligence, applies policy-governed fixes, and delivers auditable remediation outcomes across CI/CD pipelines, agent workflows, and service portfolios.

Fend off risky dependencies. Sandboxed runtime for package installs and dev scripts.

Arcis security CLI — scan running apps, audit source, and check dependencies. Native Rust binary distributed via npm.

Pre-commit secret scanner. Blocks API keys, tokens, .env files, and private keys from leaking into git. Ships as a skill for Claude Code, OpenAI Codex CLI, Google Antigravity, and Moonshot Kimi CLI, plus a standalone CLI / git hook.

Security Trust Report: loadash@1.0.0 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: nesk-scanner-termux@8.0.6 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

SYNAPSE SBOM scanner for npm projects — generate a CycloneDX SBOM locally and submit it to SYNAPSE Software Component Analysis.

CLI tool that audits env files, dependencies, and React code quality before your app ships

Security Trust Report: @cairncms/api@1.0.0 — 58/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Cupel — audit local des skills IA (Claude Code, Cursor, Codex). 14 règles de détection : prompt injection, ASCII smuggling, tool poisoning, exfiltration credentials, reverse shells, obfuscation hex. Zero network. Inspiré de la coupelle de l'essayeur d'or,

Supply chain security for AI-generated code - scans packages, Docker images, and IDE extensions (VS Code, Cursor, JetBrains) before install for typosquats, CVEs, sandwich-pattern attacks, and Docker tag overwriting

Security Trust Report: n3xt@1.0.0 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Official SDK for encoding and decoding Metrc RetailID QR labels

Offline, zero-dependency static capability analyzer for JavaScript — see what a script can do (network, filesystem, exec, secrets) before you run it.

A terminal-first supply chain guard for package manager workflows.

Easily see the dependency graph of your npm project

Experimental HOME/env isolation for package-manager install scripts

14-module security, AI, auth & DX toolkit for Node.js. Zero dependencies.

DeFarm SDK - Git for traceability with multi-role permissions and global item discovery for agriculture supply chain

Security Trust Report: openclaw@2026.5.18 — 57/100 (C+, standard). 22 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Stay N versions behind the latest published release of your npm dependencies to avoid supply chain attacks.

Core detection engine for AI-generated code — hallucinated packages, phantom dependencies, stale APIs, security anti-patterns. Structural, embedding, and LLM scanning.

Security Trust Report: resin-stream-logger@0.1.2 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Package Intelligence MCP server for AI agents. Stops hallucinated/malicious package installs across 19 ecosystems (npm, PyPI, Cargo, Go, Maven, NuGet, RubyGems, Composer, Pub, Hex, Swift, CocoaPods, CPAN, Hackage, CRAN, Conda, Homebrew, JSR, Julia). 22 to

Production-grade inventory kernel and supply chain engine for MongoDB — locations, moves, quants, reservations, valuation, routing, traceability

Scan markdown and config files for hallucinated npm package names. Defends against slopsquatting supply chain attacks.

Open source npm package security scanner — catch supply chain attacks before they catch you.

MCPS -- MCP Secure. Drop-in secure replacement for the MCP SDK. ECDSA message signing, body integrity, replay protection, tool integrity, and audit trail.

Runtime dependency behavior monitor for Node.js — the strace for npm packages. Detects supply-chain attacks that static analysis misses. Zero dependencies. Zero config. Zero telemetry.

JavaScript/TypeScript SDK for the CowCare MilkSupplyChain contract on Celo

Dependency risk gate for JavaScript projects: OSV advisories, SBOM scans, baselines, install blocking, and supply-chain risk signals.

Scan your project for compromised npm packages

Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases

Stop installing npm packages blindly. Pre-install security scanner for npm packages and GitHub repos.

Scan npm dependencies for supply chain security risks - detect malicious packages before they compromise your project

npm package age validator for supply chain security

AI security MCP server and enforcement gate for Claude Code, Cursor, GitHub Copilot, Codex, Replit, and any MCP-compatible editor. Applies OWASP, MITRE ATT&CK, NIST, Zero Trust, PCI DSS, SOC 2, and ISO 27001.

Global npm vulnerability and malware verifier with install-time blocking

Detect AI-hallucinated packages, phantom dependencies, and stale APIs in your codebase. Open-source CI/CD quality gate with local Ollama support — zero API cost.

Security Trust Report: @scopieflows/pieces-common@0.11.2 — 56/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

The dependency bloodhound for AI coding agents. Sniffs out vulnerabilities, license risks, and health issues in your dependencies — free, no API keys.

n8n community node for TracePass — automate EU Digital Product Passport workflows: products, passports, EPCIS supply-chain events.

Dependency install safety gate with OSV-backed advisory checks, approved-spec ledger enforcement, and reorg rollback hooks

Delay npm package installations until they reach a minimum age, protecting against supply chain attacks

Security scanning CLI for React and Next.js — detects CVEs, secrets, license risks, supply chain threats, hydration bugs, RSC boundary violations, and more.

Dependency Inspector - A security analysis tool for npm packages

Post-quantum cryptographic security layer for npm, pip, and cargo package managers

EDIFACT D.20B (2020) Standard Definitions - Latest Standard - 195 Message Types

Supply chain attack protection audit tool for pnpm projects

Multi-engine AI agent security scanner — one scan, four engines, one report

Anchor files to Bitcoin from the command line. Generate .proof bundles for offline verification.

Scaffold a full-stack SupplyNet SCMS project in one command

Security Trust Report: @scopieflows/app-gistly@0.1.3 — 72/100 (B, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: @qihuangai/api@1.0.0-beta.4 — 60/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

One-shot setup for secure npm package publishing: OIDC trusted publishing, staged publishing, hardened CI/CD.

CLI tool to install BMAD workflow files into any project with integrated Shai-Hulud 2.0 security scanning

CRA compliance automation - SBOM generation, CVE monitoring, and vulnerability reporting for the EU Cyber Resilience Act.

Zero-dependency CLI scanner for npm/PyPI supply chain compromises. Detects compromised packages in lockfiles and system-level IOCs from attacks like Mini Shai-Hulud (CVE-2026-45321).

Comprehensive security guards for LLM-powered and agentic AI applications - 34 guards covering OWASP Top 10 for LLMs 2025, Agentic Applications 2026, and MCP Security. All guards accessible via unified TrustGuard facade. Features prompt injection (PAP/per

Static analysis and security scanner for AI agent configuration files

Open-source MCP server that flags day-zero supply-chain anomalies in npm + PyPI packages before install.

Policy-as-code admission controller for AI agent skills and MCP tools with SkillBOM, lockfiles, and supply-chain baselines.

Security scanner that checks npm dependencies for Shai Hulud vulnerable packages. 100% offline, zero data collection, zero telemetry. Scans all dependencies against 689+ known compromised packages.

Security namespace placeholder for satoki. Registered to prevent supply chain attacks.

Supply-chain scanner that audits npm dependencies for typosquats, malicious install scripts, license risk, and known CVEs.

Local-first CLI that blocks risky npm, pnpm, and bun installs before they run. Open source.

Security research backdoor package for supply chain attack simulation

Audit, pin, and upgrade GitHub Actions workflows. LLM-friendly TOON output, safe-by-default.

Push SBOMs to CRA Ready from your terminal or CI.

Scan your codebase for AI-generated code. Know your copyright risk before it becomes a legal problem.

Manufacturing & Engineering calculation formulas library - 182 industrial calculations across 15 domains for OEE, Cpk, SPC, FMEA, Nelson Rules, metal weight, CNC machining, GD&T, battery, environmental, pipe flow, logistics, IE time study, and more

Registry proxy that quarantines recently published npm package versions

Scaffold full-stack MERN exam projects - SMS, SRMS, SCMS, EPMS. Select, install, and run in seconds.

Verify Skill Provenance Attestations (SPA) for AI agent skill directories. Drop-in tamper-evidence for any registry, runner, or installer. Zero-deps, Web Crypto, Ed25519/JWS.

Security Trust Report: word-wrap@1.2.5 — 65/100 (B, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

Vibecheck CLI - Ship with confidence. One verdict: SHIP | WARN | BLOCK.

Stop npm supply-chain attacks before they execute. Zero-dependency security scanner: malicious package detection, lockfile audit, dropper detection, integrity checks, OWASP A03/A05/A08/A10 coverage, CycloneDX SBOM & VEX reports, provenance verification, s

Security Trust Report: @scopieflows/shared@0.54.0 — 54/100 (C, standard). Maintainer risk, supply chain analysis from 8 security databases.

Dependency health scores and abandonment risk forecasting for npm projects

Scan npm project dependencies and flag copyleft/restrictive licenses (GPL, AGPL, LGPL, SSPL). Zero dependencies — pure Node.js built-ins.

EANCOM 2002 (S3) Standard Definitions - 49 Message Types for Retail & Supply Chain

Dependency Inspector - A security analysis tool for npm packages

Dependency Inspector - A security analysis tool for npm packages

Shield your projects from npm supply-chain attacks. Checks packages against a curated registry of malicious, compromised, and typosquatted packages before installation.

pi coding-agent extension that intercepts network operations with approval flows, vulnerability scanning, and supply chain security enforcement.

Security Trust Report: coa@2.0.2 — 64/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: commondir@1.0.1 — 65/100 (B, standard). Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: node-ipc@12.0.0 — 68/100 (B, standard). 3 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Local-first security scanner for AI Skills (Anthropic Skill bundles, Niuma, OpenClaw, MCP, GPTs Actions). Catches malicious code, supply-chain attacks, and prompt injection — pure static analysis, sub-2s, zero LLM cost.

MCP server exposing all 9 AgentPost data verticals as AI agent tools

Security gate for npm, yarn and pnpm: verifies lockfile integrity and tarball hashes before installation

Graph-first dependency risk analysis for npm packages and dependency trees

MCP client adapter for connecting AI agents to Supplyflow Hospital Supply Chain Management API

Verifiable-credential supply chain compliance for npm. Sign attestations, verify dependencies, revoke compromised packages.

Dependency Inspector - A security analysis tool for npm packages

Inspect and apply install-time cooldown (min-release-age / exclude-newer) for npm and uv.

Security scanner for AI agent skills, configs, and MCP tools. Vet before you trust.

Security scanning for the vibe coding era. MCP server + CLI that finds secrets, auth bugs, SQL injection, XSS, IDOR, and vulnerable deps — and opens fix PRs. Works in Cursor, Claude Code, and VS Code. Bring your own model (Anthropic, OpenAI, Gemini, Groq,

Dependency Inspector - A security analysis tool for npm packages

EDIFACT EDI Parser - Format-specific infrastructure for UN/EDIFACT standard

depcheck — dependency scanner. 47-entry offline CVE database (incl. 2024 and supply-chain), unused/missing deps via static import analysis, transitive deps via package-lock.json, Python support (requirements.txt / pyproject.toml). Free forever from vøiddo

A fast implementation of graph data structure

Zero-dependency supply chain defense for Node.js/Bun — detects git tag rewrite attacks, postinstall backdoors, SHA drift, tarball tampering and unpinned GitHub Actions

A cross-platform wrapper for Perplexity's Bumblebee supply-chain inventory scanner.

Harmless npm lifecycle package for demonstrating nono ETI command mediation.

Centralized, opt-out-able release toolkit for every Geenius package and boilerplate. One canonical CLI (geenius-release) replaces the per-package supply-chain / license / SBOM / smoke-packed / gauntlet scripts.

Analyzes your full dependency tree — last commit date, open CVEs, bus factor, and risk score per package

Guardrail CLI - Enterprise security scanning with interactive menu, arrow navigation, and auto-installation

Analyze npm dependencies and generate package health, security, and maintainability reports.

Dependency health intelligence CLI — catch risks before they become crises

A fast, configurable CLI tool that scans your dependencies against a continuously-updated database of known compromised npm packages. Supports deep scanning of transitive dependencies via lock files.

Security Trust Report: @boxes-dev/dvb@1.0.655 — 61/100 (C+, standard). Maintainer risk, supply chain analysis from 8 security databases.

Zero-config CLI security gate — blocks risky dependency installs before they reach production

npm supply chain attack defense via execution isolation

Scan any GitHub or Bitbucket repo for malware, credential stealers, and crypto scams

A CLI tool to scan GitHub Enterprise organizations for SBOMs and check for compromised packages

Local scanner for installed VS Code and Cursor extensions — catalog matching, static analysis, optional AI deep scan

The most comprehensive Angular security auditing tool. 150+ rules, 10 scan types (OWASP, API security, performance, accessibility, dependency audit, hacking, complexity, code quality). Auto-fix suggestions, HTML dashboard, SVG badge generation, SARIF expo

Reproducible lockfiles, verification, diff, audit, and tests for Agent Skills

AI-powered security scanner with 15 scan phases, 10 specialist agents, container/IaC/DAST/taint analysis, and AI-assisted remediation.

NpmGuard CLI — check npm packages against NpmGuard security audits

SCM CLI - Supply Chain Management CLI tool

Security Trust Report: axios@1.14.0 — 65/100 (B, standard). 8 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Security Trust Report: opencode-ai@1.14.30 — 62/100 (C+, standard). 2 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.

Predictive dependency security engine. Trust scores, zombie detection, blast radius analysis for your supply chain.

Verdaccio middleware that blocks npm packages published less than N days ago, reducing supply-chain attack risk.

Minimal npm registry proxy with package/version whitelisting

A CLI tool for detecting the 'Shai-Hulud' npm supply chain attack that occurred in September 2025

Real-time malware scanner for npm packages

pnpm hook that blocks vulnerable packages before download. Uses GitHub Advisory Database with offline static DB fallback.

A security-focused npm installer that protects your projects from newly compromised packages

Vigiskill — security workbench for AI agent skills and OpenClaw mirror integrity. This is a placeholder package reserving the name for the upcoming production release.

Supply-chain governance plugin for OpenClaw - scan, assess, and quarantine risky skills

Powerful npm supply chain security scanner - detects malicious packages (Shai-Hulud style), behavioral analysis, SBOM, and compliance reporting.