Dependency Guardianby WestBayBerry

Blog

Supply chain security, explained

Technical deep dives on npm attacks, detection techniques, and dependency risk management.

Dependency Guardian vs Socket.dev: An Honest Comparison (2026)
Tool Comparison Supply Chain Security Socket.dev
Read Article

Dependency Guardian vs Socket.dev: An Honest Comparison (2026)

Socket has $65M and big-name customers. Dependency Guardian has published accuracy data on a 17,874-package disclosed-malware corpus and costs 5x less at scale. Here's where each tool wins.

M
Mckeane 2026-04-12
9 min read
Axios Supply Chain Attack (March 2026): How Behavioral Scanning Caught the RAT CVE Scanners Missed
Attack Analysis npm Security Supply Chain Attacks
Read Article

Axios Supply Chain Attack (March 2026): How Behavioral Scanning Caught the RAT CVE Scanners Missed

The Axios npm compromise put a RAT in 100M weekly downloads. npm audit, Snyk, and Dependabot all passed clean. Here's what behavioral scanning catches that they can't.

M
Mckeane 2026-04-12
6 min read
How Dependency Guardian Catches the Shai-Hulud npm Worm
Attack Analysis npm Security Supply Chain Attacks
Read Article

How Dependency Guardian Catches the Shai-Hulud npm Worm

The Shai-Hulud worm turned one preinstall hook into 796 compromised packages in 72 hours. CVE scanners returned 0 vulnerabilities on every one of them. Behavioral scanning catches it before the first credential is stolen.

M
Mckeane 2026-04-12
3 min read
npm postinstall Scripts: The Security Risk Nobody Reviews
npm Security Install Scripts Supply Chain Attacks
Read Article

npm postinstall Scripts: The Security Risk Nobody Reviews

Every npm install runs arbitrary code from hundreds of packages via postinstall hooks. The biggest supply chain attacks all exploited this. Here's what they look like and how to catch them.

M
Mckeane 2026-04-12
3 min read
Behavioral npm Security Scanning: The Complete Guide (2026)
Supply Chain Security Behavioral Analysis npm Security
Read Article

Behavioral npm Security Scanning: The Complete Guide (2026)

CVE-based scanners miss every supply chain attack during the window that matters. This guide explains what behavioral npm scanning is, how it works, and what it catches that advisory databases structurally cannot.

M
Mckeane 2026-04-12
12 min read
Why npm audit and Snyk Miss 100% of Supply Chain Attacks
npm Security Supply Chain Attacks Tool Comparison
Read Article

Why npm audit and Snyk Miss 100% of Supply Chain Attacks

npm audit checks advisory databases. Supply chain attacks don't have advisories. Every major npm attack last year passed these tools clean while it was live.

M
Mckeane 2026-04-12
3 min read
Fishing for Malware: Catching a Trojanized AI Tool Hiding in npm
Malware Analysis npm Security
Read Article

Fishing for Malware: Catching a Trojanized AI Tool Hiding in npm

Dependency Guardian flagged a trojanized AI coding assistant two minutes after it was published to npm. 73 out of 76 antivirus engines missed it. Here's what was inside and why behavioral scanning caught it.

M
Mckeane 2026-03-16
4 min read

Start scanning your dependencies

Behavioral detection for npm supply chain attacks. Free tier, no credit card.

Sign Up

Free tier available. No credit card required.