HN Showcase
Back to browse
GitHub Repository

PMG protects developers, AI agents from malicious open source packages using proxy, sandbox and SafeDep's threat intelligence feed.

387 starsGo

NPM install is a security hole, so we built a guard for it

by Sahil121·Mar 26, 2026·1 point·0 comments
Visit ProjectView on HN

AI Analysis

●●●BangerBig BrainSolve My Problem

Blocks malicious packages at install-time before AI agents execute them on your machine.

Strengths
  • Install-time interception stops malware before execution, not post-install scanning
  • OS-native sandboxing provides defense-in-depth even if detection misses zero-days
  • Works transparently with npm, pip, and poetry after single setup command
Weaknesses
  • Socket.dev and npm audit already cover supply chain security for many teams
  • Enterprise adoption depends on integration with existing CI/CD security pipelines
Category
Security
Target Audience

Backend developers, security-conscious teams using AI coding agents

Similar To

Socket.dev · npm audit · Snyk

Post Description

`npm install` is more trusted than it should be.

PMG is a guard in front of your package manager that intercepts installs and blocks malicious dependencies before they land on your system.

It also consists of an sandbox layer which protects you from unknown malicious threats.

Curious if install-time enforcement makes sense in your workflow.

Similar Projects

Security●●Solid

New NPM Supply chain Attack?

Docker isolation + tcpdump catches malicious npm installs before they touch your machine.

Solve My ProblemBig Brain
adamgonda
2014d ago