zonko-ai/supply-chain-attack — explained in plain English
Analysis updated 2026-05-18
Check a laptop or CI machine for traces of known malicious npm or Python packages
Get a quick offline verdict after hearing about a new supply chain attack in the news
Add it to a script that fails a build if compromised packages are detected
Spot npm packages whose install scripts secretly try to reach the internet
| zonko-ai/supply-chain-attack | aaaddress1/vibe-reading | amirhosseinjpl/jpl-sub-processor | |
|---|---|---|---|
| Stars | 24 | 24 | 24 |
| Language | JavaScript | JavaScript | JavaScript |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 2/5 | 2/5 | 3/5 |
| Audience | developer | researcher | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Just run npx supply-chain-attack, no install or config needed.
This JavaScript tool checks whether your computer has been affected by known "supply-chain attacks", a type of security breach where malicious code is secretly slipped into popular software packages that developers download and use. Think of it like a contaminated ingredient in a recipe: the finished dish looks fine, but the harm is already inside. To use it, you run a single command in your terminal, no installation required, and it scans your local package manager files (the places where downloaded software is stored). It checks npm, pnpm, Yarn, Bun, and Python environments for known bad packages using a built-in, offline list of advisories. It also flags any packages whose setup scripts try to make internet connections, which can be a sign of malicious behavior. The tool produces a clear report showing whether any suspicious packages were found, which specific packages triggered the alert, and how many package locations were scanned. In an interactive terminal, it offers menu options to learn more and take remediation steps. You can also run it with flags to get JSON output, list all tracked advisories, or turn off colors. Importantly, the scan is entirely offline, no data about your machine or your packages is sent anywhere. A clean result does not guarantee total safety, since the advisory list is a snapshot in time, but a positive finding is a strong signal to remove affected packages, clear caches, and rotate any credentials that may have been exposed. Built with JavaScript and requires Node.js 18 or newer.
A command line tool that scans your computer offline to check if you have packages linked to known supply chain attacks.
Mainly JavaScript. The stack also includes Node.js, JavaScript, npm.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.