PackjGuard is a Github app that monitors 👀 your public/private repos 24x7 for malicious, vulnerable, abandoned/deprecated, and other "risky" dependencies and mitigates 🛡️ software supply-chain attacks by creating pull requests for automatic remediation.

A recent (Dec'22) example is PyTorch package that was compromised using dependency confusion vulnerability (no CVE assigned).

It is based on our open-source auditing tool Packj

What

PackjGuard protects you against the following modern supply-chain threats (beyond CVEs) that existing scanners fail to detect:

✅ Dependency confusion attacks

✅ Typo-squatting or repo-jacking attacks

✅ Bad actors that sabotage their package

✅ Maintainer account or package takeovers

✅ CVEs or publicly known vulnerabilities

Why

Existing vulnerability scanners assume that open-source code is **BENIGN and ONLY address threats from accidental programming bugs (a.k.a. code CVEs such as Log4J). They FAIL TO protect against Solarwinds-like modern attacks from deliberately bad (a.k.a. malicious) code that is propagated by bad actors using new vulnerabilities in the supply channel, such as dependency confusion, typo-squatting, protestware (sabotaging), account hijacking, and social engineering. Read more]