What we do
We treat every package as hostile data. PkgRadar unpacks and analyzes new releases — code, manifests, and install hooks — without ever running them, scores the result, and returns a block / review / pass verdict your pipeline can gate on in one line. We correlate related malicious releases into campaigns and surface the whole thing on a public intelligence feed.
Why we built it this way
Static-only analysis is a deliberate choice: it lets us inspect malware safely, at registry scale, on day zero — no sandbox, no execution, no waiting for someone else to get burned first. That's how we flag a large share of malicious packages beforetheir public OSV advisory exists. We're precision-first: a gate that cries wolf gets turned off, so we publish our precision and recall openly and never ship a detector change that adds a false positive. See the detection methodology and our live coverage and lead-time for the full picture.
Who's behind it
PkgRadar is built and operated by Zenofex LLC, an independent security company. More about the team and our other work is at zenofex.com.
Talk to us
- Sales & plans — [email protected]
- Security & responsible disclosure — [email protected] (see our security policy)
- Detection feedback / false positives — [email protected]
- Privacy & data requests — [email protected]
Ready to try it? Start free — 25 scans a month, no card.