Detect npm packages compromised in the Shai-Hulud 2.0 supply chain attack (Nov 2025). Scans for 790+ malicious packages, suspicious scripts, TruffleHog activity, SHA1HULUD runners, and secrets exfiltration. GitHub Action with SARIF support.

JavaScript implementation of The Update Framework (TUF)

CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

OPA Gatekeeper provider for GitHub Artifact Attestations

Demo repository showcasing how to use reusable workflows to build artifact attestations

Autonomous “Shai-Hulud” engine that ingests malicious NPM package advisories from OSV, tracks versions and metadata, and maintains a continuously updated threat intelligence database.

World-class security standard for npm packages. Automated threat detection, supply chain analysis, and 0-100 security scores. Because in 2025, we can do better than the Wild West

Search all repositories across a github organization and looks for nodejs dependencies

package scanner for Arch Linux based systems

Security scanner for Node.js projects with AI-powered vulnerability detection and package recommendations