supplycheck

cross-ecosystem package supply chain risk scorer by Hijack Security

Pick an ecosystem and enter a package name, or paste a lockfile.

Try: lodash (npm), requests (pypi), com.google.guava:guava (maven), github.com/gin-gonic/gin (go), Newtonsoft.Json (nuget)

Try a typosquat: loadsh (npm), panda (pypi)

Try a confirmed-malicious: event-stream, ua-parser-js (npm)

How does this work?

Grade reflects only findings affecting the currently published version. Historical advisories on older versions are listed but don't count toward the letter grade.

Universal signals run on every package: typosquat distance vs popular-package baselines, package age, single-maintainer risk, missing repository link, Unicode homoglyphs, and stale releases.

Ecosystem-specific signals add: npm install scripts, sigstore provenance, bin name collisions; PyPI sdist-only releases, PEP 740 attestations, yanked versions; Maven reverse-DNS namespace conventions; Go import path host checks; NuGet unlisted/deprecated state.

Confirmed-malicious means MAL-* advisory IDs (OpenSSF Malicious Packages), database_specific.malware markers from GHSA, or matched malware keywords (backdoor, info-stealer, protestware, …) in the advisory body.

Not checked: package source contents, install-time behavior in a sandbox, transitive depth past top-level lockfile parse, runtime telemetry. supplycheck is a registry+OSV signal aggregator — for content-aware analysis, use a dedicated scanner.

Heuristic ≠ verdict. A high-severity heuristic finding doesn't mean malicious. An info finding doesn't mean safe. The grade is a starting point for a human review, not a decision.