Skip to main content

Security teams need evidence, not blind trust

Verify what changed before you trust an open source update.

Verify package releases, inspect suspicious drift, and strengthen dependency trust.

Pwned Packages helps security teams verify release integrity, detect suspicious supply-chain drift, and build confidence in the dependencies their software depends on.

Try public analysesRequest scanner access
Release verificationIncremental diffsSupply-chain tamper detection

Public evidence snapshot

`[email protected]`

npm MVP proof
Baseline5.4.0
VerdictHigh review priority
Changed files12
  • Install script behavior changed in `package.json`.
  • New executable path introduced under `bin/`.
  • Advisory context attached before the summary was generated.
Baseline snapshot preservedStored in the public repository

What gets verified

Reviewable signals that explain why a package release deserves trust or scrutiny.

Incremental release verification

Track what changed from one package release to the next so reviewers can inspect actual drift instead of relying on package reputation alone.

Tamper-focused evidence

Surface risky install scripts, new executables, manifest edits, suspicious paths, and advisory context before any narrative summary is shown.

Public investigation history

Keep prior analyses visible in a repository your team can revisit when a dependency comes back under scrutiny.

Two layers of supply-chain trust

Public release intelligence now, private dependency reassurance next.

Live now

Public Release Repository

Review public package release analyses, compare versions, and inspect why a change looks routine or risky before it lands in production.

  • Explore stored release investigations
  • Verify incremental changes against a known baseline
  • Use npm examples today without limiting the broader product vision
Try public analyses
Upcoming

Private Lockfile Scanner

Scan your lockfiles and dependency tree for signs of tamper, malicious code, or suspicious supply-chain drift inside the dependencies your team actually ships.

  • Verify internal dependency trees against trusted expectations
  • Flag supply-chain anomalies before deployment
  • Extend public release intelligence into private dependency reassurance
Request scanner access

How the lockfile scanner works

Trust gating happens before dependencies are downloaded into your environment.

The scanner is positioned as a pre-install control for teams that want to stop insecure packages before they ever land in the build. It uses existing public analyses when possible and expands coverage by analyzing packages the platform has not seen yet.

Join scanner waitlist
1

Add the scanner before dependency installation

Place the package scanner in the install path so dependency trust is checked before the package manager downloads and executes code.

2

Query known analyses and inspect unknown packages

Before installation proceeds, query existing analyses in the platform and analyze packages that have not been reviewed yet.

3

Block insecure or suspicious packages

If a release or transitive dependency shows tamper signals, malicious code indicators, or unresolved risk, installation is stopped before the package enters the environment.

4

Allow download only after the set clears trust checks

When the dependency tree passes the trust gate, packages can be downloaded and installed with the reassurance that the requested set is not flagged.

Supported ecosystems

Built for a broader open-source supply chain, with rollout state visible per ecosystem.

npm is the live proof surface today. The carousel below shows the broader package-manager coverage the platform is expanding into without pretending that every ecosystem is already live.

npm

Live now

Node.js packages

PyPI

Expanding next

Python packages

Maven

Expanding next

Java packages

RubyGems

Expanding next

Ruby packages

Cargo

Expanding next

Rust crates

Go modules

Expanding next

Go dependencies

NuGet

Expanding next

.NET packages

Packagist

Expanding next

PHP packages

How suspicious drift is surfaced

Start from evidence that a security reviewer can verify in minutes.

The repository is built to show what changed, where the change happened, and why it might matter. npm is the current proof surface, but the product narrative stays focused on open-source dependency trust across ecosystems.

  1. Baseline scan on the first observed release, then incremental diffs on later versions.
  2. Manifest and installer changes such as package.json script edits or dependency drift.
  3. New entrypoints, binaries, suspicious paths, and files worth deeper review.
  4. Stored public evidence that makes package risk decisions easier to share.

Why this matters

Trust in open source improves when release decisions are backed by public evidence.

Baseline firstEvery package starts with a full snapshot before later releases are reviewed incrementally.
Evidence over hypeRisk claims stay tied to changed files, manifest drift, scripts, and other observable signals.
Trust at team scaleSecurity teams get a reusable record of why an update looked safe, suspicious, or worth deeper review.

Scanner access

Private lockfile scanning is the next layer of reassurance for teams with real dependency exposure.

The scanner is not exposed as a live workflow in this MVP yet. This page positions it as the next product layer while the public repository proves the investigation model today.

Join scanner waitlistExplore public analyses first