Built an open-source npm/PyPI supply chain scanner - looking for feedback
AI Summary1 min read
TL;DR
MUAD'DIB is an open-source supply chain security scanner for npm and PyPI packages, using static, dynamic, and temporal analysis with a 91.8% true positive rate. It's a solo project with AI assistance, seeking feedback to improve its utility.
Tags
supply chain securitynpmPyPIopen-sourcesecurity scanner
I've been working on MUAD'DIB, a supply chain security scanner for npm and PyPI packages. It's a personal project as part of my career change into software development.
What it does:
- Static analysis (14 scanners: AST, dataflow, obfuscation, entropy, shell commands, GitHub Actions, etc.)
- Dynamic analysis (Docker sandbox with canary tokens)
- Temporal analysis (lifecycle script diffs, maintainer changes, publish anomalies)
- 225K+ IOCs, 94 detection rules
Honest numbers:
- 91.8% true positive rate on 51 real-world malware samples
- 100% on 78 adversarial test cases
- ~13% false positive rate (working on reducing this)
What it's NOT:
- Not enterprise-grade (no ML, no SaaS, no fancy UI)
- npm/PyPI only (no Maven, Cargo, etc.)
- Solo project, no team behind it
Transparency: The code was written with heavy AI assistance (Claude). I directed the architecture and testing, but I want to be upfront about that.
Looking for honest feedback, criticism, and suggestions. What's missing? What would make this actually useful?
[link] [comments]