Build software better, together

tayyabt / trustlock

A Git-native dependency admission controller. Evaluates trust signals on every dependency change and blocks commits or builds when packages fail your team's policy. Pre-commit hook + CI gate with built-in approval workflow.

cli opensource devtools ci-cd provenance git-hooks lockfile dependency-management admission-controller slsa supply-chain-security npm-security

Updated Apr 18, 2026
JavaScript

agentic-dev3o / sandbox-shell

Star

macOS Seatbelt sandbox CLI for developers. Protect credentials (SSH, AWS, GPG) from malicious npm packages, supply chain attacks, and untrusted build scripts. Deny-by-default filesystem isolation. Perfect for Claude Code agentic workflows with --dangerously-skip-permissions.

macos shell rust cli security terminal sandbox developer-tools seatbelt supply-chain-security sandbox-exec credential-protection agentic-ai claude-code npm-security

Updated Apr 27, 2026
Rust

yanisvdc / why-claude-code-leaked

Star

Why Claude Code leaked: a deep dive into npm packaging failures, source map exposure, and modern supply chain security risks.

npm ci-cd source-map devsecops vulnerability-analysis cloud-security security-research security-best-practices r2-storage claude-code npm-security claude-code-leaked claude-code-leak claw-code packaging-security

Updated Apr 4, 2026
JavaScript

triconinfotech / shai-hulud-malicious-packages

Star

Autonomous “Shai-Hulud” engine that ingests malicious NPM package advisories from OSV, tracks versions and metadata, and maintains a continuously updated threat intelligence database.

nodejs npm security automation infosec osv security-tools devsecops threat-intelligence malware-detection github-actions open-source-security supply-chain-security package-security npm-security shai-hulud shai-hulud-detector shai-hulud2-detector malicious-packages-db

Updated Apr 28, 2026
JavaScript

dream-horizon-org / sentinel

Star

Sentinel Package Manager blocks compromised packages BEFORE installation, preventing malicious code execution. Features: Pre-install blocking, command interception (npm/yarn/pnpm/bun), 795+ blacklist (Shai-Hulud), real-time checks (OSV/GitHub/Snyk), zero dependencies, auto-updates. Counters supply chain attacks.

Updated Dec 2, 2025
JavaScript

z8run / aegis

Star

Supply-chain security scanner for npm packages. Detect malicious code, typosquatting, and compromised dependencies before you install them.

rust cli npm security tree-sitter static-analysis supply-chain developer-tools cve typosquatting sarif devsecops vulnerability-scanner malware-detection npm-audit package-security npm-security

Updated Apr 23, 2026
Rust

josedacosta / shai-hulud-detector

Star

🛡️ Advanced NPM supply chain attack detection tool - Specialized in detecting Shai-Hulud compromise indicators with beautiful CLI interface and automated security reporting

Updated Sep 19, 2025
TypeScript

bb1nfosec / bheeshma

Star

Runtime dependency behavior monitor for Node.js - detects software supply-chain abuse

security dependency-analysis supply-chain software-security malware-detection runtime-monitoring nodejs-security open-source-security behavioral-analysis npm-security

Updated Jan 19, 2026
JavaScript

weorbitant / search-github-org-for-nodejs-deps

Star

Search all repositories across a github organization and looks for nodejs dependencies

nodejs npm node package-security npm-security

Updated Dec 4, 2025
Shell

MinSeok-log / dryinstall

Star

Safe npm install that blocks lifecycle scripts and isolates packages in a sandbox.

security sandbox supply-chain lifecycle node-security npm-security

Updated Mar 25, 2026
JavaScript

BuildWithAbid / mcp-shield

Star

Security scanner for MCP (Model Context Protocol) servers. Detect prompt injection, secrets leaks, supply chain attacks, and vulnerabilities in MCP servers. CLI + MCP server mode.

Updated Apr 23, 2026
TypeScript

mamabearmehmi-hub / skill-sentry

Star

Scan Claude MCP skills for security threats before you install. npx skill-sentry < your skills github url> free, open source, no code executed.

security mcp scanner static-analysis claude supply-chain-security model-context-protocol mcp-server npm-security claude-skill

Updated Apr 27, 2026
TypeScript

Kowaulsky / axios-rat-scanner

Star

axios rat ioc-scanner npm-security supply-chain-attack

Updated Apr 1, 2026
Shell

samkwak188 / Husk-Agentic-dependency-security-CLI

Star

Won 🏆 Best Technical Depth Award @ LikeLion Hackathon 2026. Agentic install-time supply-chain security for npm and PyPI. Multi-agent verdicts, local registry proxy, honest Wilson-CI benchmarks.

cli security-tool supply-chain-security dependency-scanner dependency-confusion typosquat agentic-ai npm-security shai-hulud pypi-security

Updated Apr 19, 2026
TypeScript

copyleftdev / lazarus-19day-abtest

Star

Threat intel package for Lazarus Group's 3-wave GitHub phishing campaign targeting developers (Mar-Apr 2026). YARA, Sigma, Suricata, Nuclei rules + STIX 2.1 bundle + ATT&CK Navigator layer + full C2 infrastructure map. Defensive use only.

ioc apt phishing suricata nuclei stix sigma yara dprk threat-intelligence detection-rules mitre-attack supply-chain-security developer-security npm-security lazarus-group contagious-interview

Updated Apr 9, 2026
Python

TWRoloff / ENHANCED-SHAI-HULUD-SECURITY-SCANNER-PIPELINE

Star

An Azure Devops Scanner Pipeline Template to use to detect SHAI-HULUD Worm

security-scanner worm threat-intelligence malware-detection supply-chain-security npm-security shai-hulud

Updated Sep 19, 2025

ertugrulakben / dep-oracle

Star

Predictive dependency security engine. Trust Scores for npm/Python packages. Detects zombies, typosquats, and supply chain risks before they become CVEs.

cli open-source security-audit cve python-security supply-chain-security dependency-scanner trust-score npm-security typosquat-detection