If you write code
Malicious updates and typosquats get refused before they touch your disk.
The xz backdoor shipped as a routine update. event-stream got a new maintainer who quietly slipped in a wallet stealer. Chainsaw reads the package at install time and refuses the ones whose install script reaches for your env vars or whose name shadows a popular library by one keystroke. The block happens before download, so the bad tarball never lands on your disk and there is nothing for you to clean up. You see why it stopped, then you decide.
- Type expresss instead of express and the guard catches the typosquat before the install even resolves.
- It reads install scripts for the part that phones home with your env vars, the exact trick event-stream used.
- When a maintainer goes quiet for a year and then pushes a burst of releases, that pattern is one of the 25 signals it weighs. You get all 25 on the free tier.