npm
npm install crossenv crossenv is a typosquat of cross-env — blocked before it downloads.
Quickstart
Install the free, open-source CLI and turn on the guard. Your
existing package managers (npm, pip, cargo, gem, go) get checked
at install time on your own machine, with no server and no registry
repoint, blocking known-malicious packages and typosquats before
they download. The first time you use it, it asks once whether to
share anonymous usage and blocked-package data to improve detection
(the prompt defaults to yes; decline anytime, and it never sends from
CI); your clean installs never leave your machine. Change anytime with
chainsaw telemetry on|off (see our
privacy policy). Sign in to sync
across your team and unlock the full malicious-packages feed.
Step 1 of 3
Free and open source. One command, no account, and no sudo. It drops a
single binary in ~/.local/bin and adds that to your PATH, so
nothing touches a system directory. Sign in later to sync across your team
and pull the full malicious-packages feed.
curl -fsSL https://chain305.com/install.sh | sh
On Windows, run this in PowerShell instead:
irm https://chain305.com/install.ps1 | iex. It installs per-user
under %LOCALAPPDATA% and updates your user PATH, so it needs no
admin rights.
Step 2 of 3
The shim auto-checks your existing package managers with no registry repoint and no config to maintain. One command writes it into your shell rc (idempotent — safe to run twice):
chainsaw guard init --install # writes the hook to your shell rc, once
# or turn it on for the current shell only:
eval "$(chainsaw guard init zsh)" # bash/zsh
chainsaw guard init fish | source # fish
From now on, npm, pip (and pip3),
go, cargo, and gem installs are
checked automatically. Prefer not to touch your shell?
Run one-shot: chainsaw npm install <package>.
Step 3 of 3
Try installing a typosquat of a package you know, like a misspelling of a popular name. The guard refuses it before it downloads, using embedded seeds, so it works with no network. Known-malicious packages (a curated floor) and typosquats of popular packages are both caught at install time.
npm install crossenv crossenv is a typosquat of cross-env — blocked before it downloads.
pip install python3-dateutil
cargo add rustdecimal
gem install rest-clientt Typosquats of python-dateutil, rust_decimal, and rest-client — same check across Python, Rust, and Ruby.
go get github.com/sirupsen/logruss A typosquat of logrus — Go modules are checked at fetch time too.
Want the full known-malicious set? Pull it once with
chainsaw guard update. Everything still runs locally, and
nothing about your installs leaves the machine.
Scale this to a team
The local guard is per-developer. To enforce the same checks across a team, with shared policies, an audit trail, and blocks that hold even on machines without the CLI, run Chainsaw as a proxy in front of your registries. This path needs an account and a running endpoint; the local guard above needs neither.
Team · Step 1 of 4
Free tier, no credit card. The signup form takes about 30 seconds: email, org name, password. Email verification optional in dev.
Team · Step 2 of 4
In your dashboard, go to Access → Client credentials
and create a credential pair. You'll get a CLIENT_ID and
a CLIENT_SECRET. Keep them handy for the next step.
The secret is shown once, so copy it now.
Team · Step 3 of 4
One config block per ecosystem. No agent, no certificate, no MITM
proxy on your network. Pick the package manager you actually use
and paste your CLIENT_ID and CLIENT_SECRET
from the previous step:
Register Chainsaw as your registry:
npm config set registry https://CLIENT_ID:CLIENT_SECRET@chain305.com/chainproxy/repository/@default/npmjs/ Replace CLIENT_ID and CLIENT_SECRET with the values you copied in step 2.
Register Chainsaw as your registry:
pip config set global.index-url https://CLIENT_ID:CLIENT_SECRET@chain305.com/chainproxy/repository/@default/pypi/simple
pip config set global.trusted-host chain305.com Two lines. pip needs trusted-host once credentials are embedded in the URL.
Register Chainsaw as your registry:
docker login chain305.com Username: your CLIENT_ID. Password: your CLIENT_SECRET.
Team · Step 4 of 4
Pick your ecosystem and run the install. The demo packages here are drawn from the OpenSSF malicious-packages feed, long-tail entries flagged for typosquatting or known malware. Chainsaw refuses each one against the seeded demo policies.
npm install lodahs lodahs is a known typosquat of lodash, flagged in the OpenSSF malicious-packages feed. Chainsaw refuses the install before the package is downloaded.
pip install reqeusts reqeusts is a known typosquat of requests. Chainsaw blocks the install at metadata-fetch time.
docker pull chain305.com/repository/@default/docker/library/known-malicious-image:latest Chainsaw checks every image pull against the OpenSSF malware feed and blocks known-bad layers before they hit your registry cache.
What you'll see in the terminal
Chainsaw firewall: BLOCKED by policy "Demo: Block suspected typosquats"
Reason: package name resembles "lodash" with edit distance 1
Detected: typosquat · in OpenSSF malicious-packages index
Install blocked. Edit or delete this rule from your dashboard. What's next
Stuck? Book a 30-minute demo and we'll walk you through it together.