These aren't CVEs. Your scanner won't find them.
Malicious packages aren't vulnerabilities in legitimate code. They're purpose-built attacks: credential theft, reverse shells, data exfiltration. Traditional SCA tools weren't designed to detect them.
Detect threats before they land
SafeDep continuously scans package registries and detects malicious publications on average 14 hours before public advisories.
See how
Block at every layer
From your IDE to your CI/CD pipeline, malicious dependencies are stopped before they execute. On developer machines and in pull requests.
See how
See everything across your org
Centralized visibility into every external component, policy enforcement across teams, and compliance-ready reporting.
See how
Know what's entering your environment
SafeDep builds a real-time inventory of every external component flowing into your stack. Packages, MCP servers, plugins, extensions, and repositories, across every developer and AI agent in your organization.
Using GitLab or Bitbucket? Talk to us
Identify what's dangerous before it executes
SafeDep's threat intelligence engine analyzes every component for real threats: typosquats, obfuscated code, data exfiltration, and known malicious patterns. Each component gets a clear verdict, block, allow, or investigate, before it touches your codebase.
Protection that moves with your AI agent
When AI agents like Cursor, Claude, or Windsurf install a package, SafeDep MCP checks it before it lands on your machine. Malicious packages are blocked instantly. Safe ones proceed without friction.
The CI/CD safety net that catches what slips through
SafeDep runs in your pipeline and scans every pull request for malicious dependencies. If something dangerous is found, the merge is blocked before it reaches your main branch.
Govern what flows into your organization.
Set org-wide policies for what packages are allowed. Get centralized visibility across every team. Generate compliance-ready reports for audits.
The Unified SafeDep Platform
Discovery, assessment, enforcement, monitoring, and governance. Everything your security team needs, in one place.
Threat research from the supply chain frontline
Miasma Worm Infects Multiple LeoPlatform npm Packages
A Miasma worm variant compromised a single maintainer account and used it to publish infected versions of 20 LeoPlatform npm packages within a 3-second window. The worm also pushed weaponized GitHub Actions workflows to at least three repos. The payload is the same Bun-based credential stealer and self-propagating worm documented in our Miasma source code analysis.
The wshu.net npm Campaign Delivers a Multi-Stage Infostealer
One actor seeded 15 npm packages across 13 throwaway scopes in a single morning, each shipping a ~270KB obfuscated downloader behind a postinstall hook. The downloader pulls a Rust infostealer from GitHub Releases that drains crypto wallets, browser credentials, cloud tokens, and SSH keys. Amazon Inspector tracks the same cluster as Operation Friday Harvest.
MYRA: A Full Linux RAT Distributed via npm
The npm package apintergrationpost is a red team RAT called MYRA with native C rootkit, triple persistence, fileless execution, live screen streaming, and process masquerade. This analysis documents its full capability set so defenders can detect and respond if it is misused.
Ship code
Not malware
Start free with open source tools on your machine. Scale to a unified platform for your organization.
Star on GitHub 