whatisgithub

What is supply-chain-attack?

zonko-ai/supply-chain-attack — explained in plain English

Analysis updated 2026-05-18

24JavaScriptAudience · developerComplexity · 2/5LicenseSetup · easy

In one sentence

A command line tool that scans your computer offline to check if you have packages linked to known supply chain attacks.

Mindmap

mindmap
  root((supply-chain-attack))
    What it does
      Scans for known bad packages
      Offline advisory snapshot
      Flags risky install scripts
    Tech stack
      Node.js
      JavaScript
      npm CLI
    Use cases
      Check a machine after news of an attack
      CI build gate
      Spot suspicious postinstall scripts
    Audience
      Developers
      Security teams
    Output
      Terminal report
      JSON mode
      Exit codes for automation

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Check a laptop or CI machine for traces of known malicious npm or Python packages

USE CASE 2

Get a quick offline verdict after hearing about a new supply chain attack in the news

USE CASE 3

Add it to a script that fails a build if compromised packages are detected

USE CASE 4

Spot npm packages whose install scripts secretly try to reach the internet

What is it built with?

Node.jsJavaScriptnpmCLI

How does it compare?

zonko-ai/supply-chain-attackaaaddress1/vibe-readingamirhosseinjpl/jpl-sub-processor
Stars242424
LanguageJavaScriptJavaScriptJavaScript
Setup difficultyeasymoderatemoderate
Complexity2/52/53/5
Audiencedeveloperresearcherops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Just run npx supply-chain-attack, no install or config needed.

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

So what is it?

This JavaScript tool checks whether your computer has been affected by known "supply-chain attacks", a type of security breach where malicious code is secretly slipped into popular software packages that developers download and use. Think of it like a contaminated ingredient in a recipe: the finished dish looks fine, but the harm is already inside. To use it, you run a single command in your terminal, no installation required, and it scans your local package manager files (the places where downloaded software is stored). It checks npm, pnpm, Yarn, Bun, and Python environments for known bad packages using a built-in, offline list of advisories. It also flags any packages whose setup scripts try to make internet connections, which can be a sign of malicious behavior. The tool produces a clear report showing whether any suspicious packages were found, which specific packages triggered the alert, and how many package locations were scanned. In an interactive terminal, it offers menu options to learn more and take remediation steps. You can also run it with flags to get JSON output, list all tracked advisories, or turn off colors. Importantly, the scan is entirely offline, no data about your machine or your packages is sent anywhere. A clean result does not guarantee total safety, since the advisory list is a snapshot in time, but a positive finding is a strong signal to remove affected packages, clear caches, and rotate any credentials that may have been exposed. Built with JavaScript and requires Node.js 18 or newer.

Copy-paste prompts

Prompt 1
Explain what a supply chain attack is and why checking my package caches matters
Prompt 2
Show me how to run npx supply-chain-attack and read its output
Prompt 3
Help me add this scanner as a CI check that fails the build on findings
Prompt 4
Walk me through what to do if this tool finds a hit on my machine

Frequently asked questions

What is supply-chain-attack?

A command line tool that scans your computer offline to check if you have packages linked to known supply chain attacks.

What language is supply-chain-attack written in?

Mainly JavaScript. The stack also includes Node.js, JavaScript, npm.

What license does supply-chain-attack use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is supply-chain-attack to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is supply-chain-attack for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.