pkgxray
Analyze packages before you install them.
Zero-dependency · runs locally · never executes untrusted code
Move across the package to x-ray it
npm is where the malware is.
Agents install packages and connect to MCP servers at machine speed. The registry they pull from is under industrial-scale attack.
CVE scanners find known bugs. pkgxray asks what the code does — before a single line runs on your machine.
Figures from Sonatype’s 2026 State of the Software Supply Chain and OSS Malware Index; MCP posture from Anthropic’s Dec 2025 update and public registry audits.
Watch a verdict form
Pick a package. This demo replays real fixtures — it does not download or execute anything in your browser.
pkgxray guard
Three verdicts. Stable exit codes.
Click a verdict to see what it means for install, CI, and agents.
No high- or medium-risk indicators. Default policy promotes out of quarantine. Install.
One engine. Every surface.
CLI, MCP, install hook, and CI all share the same policy and the same evidence rules.
- guard Quarantine a package, audit bytes, promote only if allowed
- mcp Vet a server before connect — most public MCP servers ship with static keys and little verification
-
hookshot
Intercept agent
npm installwith cited deny - recheck Catch trojaned updates against a stored baseline