Supply Chain Security for Modern Dev Stacks
Package Supply Chain Sentinel is a specialized audit tool designed to catch malicious dependencies before they enter your codebase. It automates the tedious and error-prone process of reviewing lockfile diffs and package manifests for signs of typosquatting, hidden lifecycle scripts, and high-risk version shifts.
What it does
The skill performs a dual-layered analysis: an automated heuristic scan using local scripts and a manual-review simulation based on industry-standard audit checklists. It examines package.json, pyproject.toml, requirements.txt, and their respective lockfiles to identify anomalies that standard vulnerability scanners might miss.
- Typosquatting Detection: Spots name-hijacking attempts (e.g.,
requesstvsrequests). - Manifest Auditing: Flags suspicious
preinstallorpostinstallscripts that could execute arbitrary code. - Lockfile Integrity: Detects unexpected registry changes or hash mismatches in dependency diffs.
- Evidence-Based Reporting: Provides a ranked list of findings (Critical to Info) with cited evidence and remediation snippets.
Supported Frameworks & Tools
The Sentinel works across major ecosystems, supporting npm, pnpm, yarn, pip, uv, and poetry. It is designed to be integrated into CI/CD pre-commit hooks or used during PR reviews to verify third-party code changes.
Why use this skill?
Standard security tools often focus on known CVEs. This skill focuses on intent and anomalies. Instead of just flagging an old version, it alerts you if a package suddenly starts running a shell script on install or if a lockfile is pointing to a non-standard registry. It saves developers hours of manual diff-checking while providing a higher level of assurance for sensitive production environments.