Most supply chain attacks follow the same playbook: preinstall hook runs automatically, reads your credentials, exfiltrates to a remote server. npm and pip execute this with no warning.
CVE databases can't catch these. The package isn't "vulnerable," it's intentionally malicious. I built a tool that analyzes what packages actually do: 46 behavioral detectors scan for network exfiltration, credential theft, shell execution, obfuscation, filesystem persistence, timegated payloads, and more across npm and PyPI.
The key insight: individual signals are noise. Most legitimate packages use child_process or make network calls. So I built a correlator with 59 cross signal amplifiers that combine findings into attack patterns. "Network access" alone gets suppressed on popular packages. Network access + CI secret theft + fresh publish + no GitHub repo = critical alert.
It also does version diff analysis. Not just "this package has network access" but "this package just added network access in this version."
Tested against 53,000 real packages (50,000 known malicious + 3,000 top clean npm packages): 99.95% precision. Catches attacks like event-stream, ua-parser-js, and ShaiHulud that CVE only tools miss entirely.
Available as a GitHub Action, CLI (dg npm install), or API. Free tier available.
ComCat•6h ago
CVE databases can't catch these. The package isn't "vulnerable," it's intentionally malicious. I built a tool that analyzes what packages actually do: 46 behavioral detectors scan for network exfiltration, credential theft, shell execution, obfuscation, filesystem persistence, timegated payloads, and more across npm and PyPI.
The key insight: individual signals are noise. Most legitimate packages use child_process or make network calls. So I built a correlator with 59 cross signal amplifiers that combine findings into attack patterns. "Network access" alone gets suppressed on popular packages. Network access + CI secret theft + fresh publish + no GitHub repo = critical alert.
It also does version diff analysis. Not just "this package has network access" but "this package just added network access in this version."
Tested against 53,000 real packages (50,000 known malicious + 3,000 top clean npm packages): 99.95% precision. Catches attacks like event-stream, ua-parser-js, and ShaiHulud that CVE only tools miss entirely.
Available as a GitHub Action, CLI (dg npm install), or API. Free tier available.
https://westbayberry.com
curious if anyone here has dealt with a supply chain attack hitting production before? what tipped you off and what the blast radius looked like.