Supply chain risk scanner

Paste your dependencies.
See what's hiding.

Three packages in a typical project are CRITICAL right now: chalk (399M downloads/week, 1 maintainer), zod (139M, 1 maintainer), axios (96M, 1 maintainer — attacked April 1st). Stars and READMEs don't show this. Behavioral signals do.

Package names — one per line, or comma-separated (max 20)

↓ Drop your package.json or requirements.txt here Dependencies extracted automatically

No install. No API key. Data from npm registry + PyPI. Source code →

Package	Score	Risk	Maintainers	Weekly DL	Age	Trend

Want this in your AI assistant?

{
  "mcpServers": {
    "commit": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}

Add to Claude Desktop, Cursor, or any MCP client. Then: "Audit my package.json for supply chain risk"

Transitive risk

The risks you don't see coming

Your package may look fine. Its dependencies may not. The Anthropic SDK scores healthy — but two of its transitive dependencies are CRITICAL. Neither shows up in a direct audit.

Depth

npm only · max depth 2 · up to 20 nodes

What the score measures

Longevity How long has this package existed? Abandoned projects get reactivated for attacks.

Maintainer depth Single maintainer + millions of weekly downloads = the attack surface LiteLLM exploited.

Release consistency Regular releases signal active oversight. Long gaps = vulnerability accumulation.

Download trend Growing packages attract more scrutiny (and attacks). Stable = lower profile.

Risk flags: CRITICAL = single maintainer + >10M weekly downloads (exact LiteLLM/axios attack profile). HIGH = package <1yr old + rapid adoption. WARN = no release in 12+ months.

Paste your dependencies. See what's hiding.

The risks you don't see coming

What the score measures

Paste your dependencies.
See what's hiding.