Lockfile-first scanner for compromised npm/PyPI/Maven/Cargo/Go/RubyGems packages — OSV + curated extras feed, SLSA L3, locked-container CI

🛡️ Blazing fast Supply Chain Security tool written in Rust. Features ephemeral sandboxing, hybrid analysis (CVE + Heuristics), and entropy-based malware detection.

Real-time npm/PyPI supply-chain threat detection. Behavioral chain analysis, AST scanning, IOC feeds, and compound scoring engine.

GuOx: Ultimate enterprise‑grade, AI & WASM‑powered Express security framework.

Paste your manifest. Get back the fixed files. Free browser-based dependency security fixer — npm, PyPI, Ruby, PHP. No login. No CLI.

Open-source local dependency and vulnerability scanner for Java (Maven/Gradle) and JavaScript (npm) projects.

Supply-chain security and dependency analysis tool for the npm ecosystem

Scan projects for CVEs in AI-generated dependencies. Zero API calls. Works offline.

Supply-chain security CLI for npm/bun/yarn/pnpm — install gate + lockfile snapshots + AST risk scoring

DepScope — Package Intelligence for AI Agents. 22 MCP tools, 19 ecosystems, free, no auth. https://depscope.dev

Cross-ecosystem dependency security scanner. Detects the axios RAT supply chain attack and similar threats. 4-layer detection: AST analysis, behavioral fingerprinting, dep graph profiling, registry metadata. Scans npm/PyPI/Cargo/Brew. Zero dependencies.

AI-powered open source license compliance scanner. Analyzes how dependencies are actually used — not just what license they have — to determine if obligations trigger for your distribution model. Multi-agent AI pipeline, MCP server for Claude Code integration, and structured output for AI assistants. Zero API keys needed for local use.

Scan a directory tree for npm packages compromised in a supply-chain incident, given a CSV of affected packages. Great for detecting Shai-Hulud worm infestation.

Multi-ecosystem SBOM scanner with interactive HTML report, dependency tree, and CVE scanning. Supports npm, PyPI, Dart, Maven/Gradle, Rust/Cargo.

Detect dependency confusion attack vectors in Node.js projects

Ubel is a fast, cross‑ecosystem security engine that resolves dependencies, generates PURLs, scans them through OSV.dev, and enforces security policies during installation to prevent supply-chain attacks. It works with: PyPI (via ubel-pip), npm (via ubel-npm),and Linux distributions (Ubuntu-based, Debian-based, RHEL, AlmaLinux).

Shell script to detect TanStack npm supply chain attack indicators (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx)

Offline supply chain security scanner. Detects malicious packages, typosquatting, compromised dependencies, and unsafe CI configurations across npm, pip, Cargo, NuGet, and Maven. Zero dependencies. AI/MCP-ready.

Predictive dependency security engine. Trust Scores for npm/Python packages. Detects zombies, typosquats, and supply chain risks before they become CVEs.

CLI for depscope.dev — audit deps before install