kief.dev
Vekt

Supply Chain Threat Intelligence

Catch supply chain attacks
before they reach production.

Vekt scans 22 lockfile formats across 12 package ecosystems against real-time malicious package and vulnerability data. CLI, IDE, and browser extension. Free. No account needed.

Install Free Read the Docs
CLI
IDE / LSP
Browser Extension
CI/CD

See it in action.

Real output from scanning 221 lockfiles across a production codebase.

vekt scan ~/projects
$ vekt scan ~/projects
Scanning 221 lockfiles in ~/projects ...
Querying OSV for 14,208 unique packages (69,419 total) ...
SCAN COMPLETE: 221 lockfiles | 69,419 packages | 1,702 findings
CRITICAL: 0 MALICIOUS package(s)
INFO: 1 security-holder placeholder(s)
WARNING: 3,872 known vulnerability(ies)
--> package-lock.json (npm)
HOLDER MAL-2025-21003 fs@0.0.1-security
registry placeholder, remove from dependencies
--> uv.lock (PyPI)
VULN GHSA-5239-wwwm-4pmq pygments@2.19.2
Ecosystems: PyPI, npm, crates.io, Go, Packagist, SwiftURL
Run time: 46.1s
What Vekt detects

Three layers of
supply chain defense.

Malicious Packages

Detects confirmed malicious packages flagged with MAL-* advisories from the OSSF malicious-packages database. Credential stealers, crypto miners, backdoors.

MALICIOUS MAL-2025-21003 evil-logger@3.2.1

Known Vulnerabilities

Queries OSV.dev for CVEs, GHSAs, PYSECs, and RustSec advisories across all 12 ecosystems. Real-time data, not a monthly snapshot.

VULN GHSA-xxxx-yyyy lodash@4.17.15

Typosquat Detection

Flags packages whose names closely resemble popular packages. Levenshtein distance, character substitution patterns, and scope confusion detection.

TYPOSQUAT Did you mean 'requests'?
Works everywhere

One scanner.
Every surface.

CLI

Scan lockfiles from the terminal. JSON output for scripts and CI. 3.7MB binary, zero dependencies.

IDE / LSP

Yellow squiggles on vulnerable deps, red on malicious. Hover for details, quick-fix to update. Every editor via LSP.

Browser Extension

Trust badge on npm, PyPI, crates.io, and 7 more registries. See maintainers, version history, and provenance before you install.

CI/CD

Block PRs that introduce new vulnerabilities. SARIF output for GitHub Advanced Security. Exit codes for pipelines.

Fast

69,419 packages scanned in 46 seconds. Parallel parsing, package deduplication, OSV batch API. Rust binary, not a wrapper script.

Browser Extension

Trust data where
you evaluate packages.

See vulnerabilities, maintainer credibility, and security signals directly on npm, PyPI, crates.io, and 6 more registries. No tab switching.

Vekt trust bar on npm package page showing fast package analysis

Instant analysis

Trust bar appears at the bottom of every supported registry page. Green, yellow, or red -- no security expertise needed.

Vekt trust panel showing maintainer data, vulnerability count, and download stats

Maintainer credibility

Click for the full trust panel: OpenSSF score, vulnerability count, maintainer GitHub profiles with star counts, dependency depth, provenance status.

Vekt extension settings page with registry toggles

Simple settings

Toggle registries on or off. Privacy-first: only sends package name and version, never browsing data.

Install Chrome Extension

12 ecosystems. 22 formats.

Every major package manager, parsed natively in Rust.

npm npm
PyPI PyPI
crates.io crates.io
Go Go
RubyGems RubyGems
Packagist Packagist
NuGet NuGet
Pub Pub
Swift Swift
Hex Hex
Hackage Hackage
CRAN CRAN
uv.lockrequirements.txtpoetry.lockPipfile.lockpackage-lock.jsonbun.lockyarn.lockpnpm-lock.yamlCargo.lockgo.sumGemfile.lockcomposer.lockpubspec.lockPackage.resolvedmix.lockrebar.lockpackages.lock.jsoncabal.project.freezestack.yaml.lockrenv.lockpdm.lockpixi.lock

Free. Forever.

No API keys. No accounts. No rate limits. Vekt queries OSV.dev directly from your machine -- no data passes through our servers.

  • 22 lockfile formats across 12 ecosystems
  • Pre-install package auditing
  • CI/CD mode with SARIF output
  • .vektignore suppression management
  • LSP server for IDE integration
  • Browser extension for registry pages
  • 5-platform binaries (Linux, macOS, Windows)
  • No cloud dependency
Install now Pricing details

Start scanning.

Install the CLI and scan your dependencies in seconds. No account, no API key, no cloud dependency.

Install Vekt Quickstart guide