supplycheck

cross-ecosystem package supply chain risk scorer by Hijack Security

Pick an ecosystem and enter a package name, or paste a lockfile.

Try: lodash (npm), requests (pypi), com.google.guava:guava (maven), github.com/gin-gonic/gin (go), Newtonsoft.Json (nuget)

Try a typosquat: loadsh (npm), panda (pypi)

Try a confirmed-malicious: event-stream, ua-parser-js (npm)

Live registry data + OSV.dev advisories. No backend, no tracking. Findings are heuristic — high severity ≠ malicious, info ≠ safe. MAL-* advisories and detected malware keywords are ground-truth confirmed-malicious. Built by Hijack Security.