Can NPM, pnpm etc. use frontier models to check packages for malware?

4•VikRubenfeld•6h ago

Just a thought. This seems like something that should happen

Comments

benoau•6h ago

Surely Microsoft would already be doing this extensively across GitHub, NPM, NuGet etc...

SpyCoder77•1h ago

Yes, users don't need copilot (the desktop version), they need to not get malware

lalsanhim•6h ago

Hii

twunde•2h ago

This is essentially what some 3rd party vendors do, which is why supply chain malware is typically found in hours now and not weeks.

The reason why npmjs, pypy and other public registries don't do this is because it would likely 10x+ the cost of their infrastructure while not bringing in much new revenue. It's also potentially orthogonal to paint customers needs since it could likely lead to downtime or at least block new releases going out

Rumors of my death are slightly exaggerated

Ask HN: We just had an actual UUID v4 collision...

Can NPM, pnpm etc. use frontier models to check packages for malware?

Novel macro signals for AI-related job loss?

Reflections on NetBSD 11

0ctx – Local-first project memory for AI workflows

Ask HN: How do you find good personal blogs on Google nowadays?

Ask HN: How do we handle the rise of low quality "This is LLM" comments?

Ask HN: How are you handling QA being bottlenecked with more AI-generated PRs?

Ask HN: What is your go-to solution for a personal wiki in 2026?

Ask HN: What will happen as AI costs increase?

Claude Flags Hantavirus Vaccine Questions as Security Risk

"Surface" a Governed AI-Agentic Surface

Ask HN: Are we gonna back less powerful local LLMs

Ask HN: What do you still do manually in 2026 that should be automated?

Ask HN: How to start up as an individual developer?

Ask HN: Who got hired with Who wants to be hired? (On 2026)

Ask HN: Is the Job Market Actually Bad?

Ask HN: Is the future everyone having 100 MCP processes running on their PC?

Ask HN: Is anyone seriously considering a career change?

Ask HN: Best Embedding Models?

Ask HN: Terafab – Smart move or insane financial risk?

Can NPM, pnpm etc. use frontier models to check packages for malware?

Comments

Rumors of my death are slightly exaggerated

Ask HN: We just had an actual UUID v4 collision...

Can NPM, pnpm etc. use frontier models to check packages for malware?

Novel macro signals for AI-related job loss?

Reflections on NetBSD 11

0ctx – Local-first project memory for AI workflows

Ask HN: How do you find good personal blogs on Google nowadays?

Ask HN: How do we handle the rise of low quality "This is LLM" comments?

Ask HN: How are you handling QA being bottlenecked with more AI-generated PRs?

Ask HN: What is your go-to solution for a personal wiki in 2026?

Ask HN: What will happen as AI costs increase?

Claude Flags Hantavirus Vaccine Questions as Security Risk

"Surface" a Governed AI-Agentic Surface

Ask HN: Are we gonna back less powerful local LLMs

Ask HN: What do you still do manually in 2026 that should be automated?

Ask HN: How to start up as an individual developer?

Ask HN: Who got hired with Who wants to be hired? (On 2026)

Ask HN: Is the Job Market Actually Bad?

Ask HN: Is the future everyone having 100 MCP processes running on their PC?

Ask HN: Is anyone seriously considering a career change?

Ask HN: Best Embedding Models?

Ask HN: Terafab – Smart move or insane financial risk?