Supply-chain firewall · open source
Block malicious packages before they install.
Scanners email you after the malware ran. DepGuard is a firewall: check any npm or PyPI package against known-malicious advisories, risky install scripts, and registry red flags — and get a block/allow verdict in seconds.
Live data from OSV.dev and the public npm / PyPI registries at check time. Free, no account.
How the verdict works
Known-malicious advisories
Every check queries OSV.dev live. A MAL-* advisory — the label given to confirmed malware campaigns like event-stream or the 2026 poisoned-tools wave — is an instant BLOCK, and CVE/GHSA/PYSEC vulnerabilities raise a warning.
Install-script behavior
npm packages that run preinstall/install/postinstall scripts execute arbitrary code the moment you install them — the #1 malware delivery vehicle. DepGuard flags them, plus PyPI releases that ship only an sdist (setup.py runs at install).
Default-deny policy
A name that doesn't exist in the registry is BLOCKED, not ignored — that's how typosquats and AI-hallucinated dependencies get through today. Brand-new, deprecated, or abandoned packages raise warnings before you depend on them.
This checker is the firewall's brain
The same decision engine is heading into tools that enforce the verdict instead of just showing it:
- 1
depguard install — the local firewall
A CLI shim for npm, pnpm and pip that runs this exact decision engine before any package touches your disk, and blocks on policy violations. Open source.
- 2
CI gate
Fail the build when a lockfile change introduces a package this engine would block — enforcement where it can't be skipped.
- 3
MCP servers & editor extensions
The same policy applied to the new attack surface scanners ignore: MCP server manifests, VS Code extensions, and browser add-ons.
The web check stays free.
Join the waitlist to get the open-source CLI and CI gate the day they ship — and early access to hosted policy management for teams.