NPM install is stealing your passwords – I built a tool to catch it
a day ago
- #dependency-management
- #security
- #CI/CD
- Behavioral Supply Chain Intelligence provides visibility into dependency behavior in CI pipelines.
- Every package change receives a risk score and behavioral report to flag suspicious packages.
- Configurable thresholds, allowlists, and audit trails ensure compliance.
- Dependency updates can merge unreviewed, missing zero-day attacks without CVEs.
- Solution offers automated governance with pass/warn/block thresholds and audit trails.
- Works with GitHub Actions, GitLab CI, Jenkins, and more via a simple YAML file or npm install.
- Detection accuracy validated against 11,000+ real packages (99.95% precision, 99.7% F1).
- Four-step process: PR → Scan → Verdict → Merge with confidence.
- 26 behavioral detectors analyze packages for malicious patterns.
- Capabilities include CI enforcement, configurable policies, and private source code scanning.