Browser Extension
The Vekt browser extension injects a trust badge on package registry pages, giving you an at-a-glance security signal before you add a dependency.
Table of contents
- Install
- What it does
- Supported registries
- Understanding the trust badge
- Trust panel
- Typosquat warnings
- Configuration
- Privacy
Install
Chrome, Chromium, Edge, Brave:
Install from the Chrome Web Store
Firefox:
After installing, click the Vekt icon in your toolbar and enter your API key. The extension works without an API key on the Free tier (rate limited), but an API key is required for the full trust panel.
What it does
When you visit a package page on a supported registry, Vekt:
- Extracts the package name, version, and ecosystem from the page
- Sends a lightweight query to the Vekt API
- Injects a trust badge next to the package title
- On click, expands a trust panel with detailed findings
This happens automatically on page load and whenever you navigate to a different package version.
Supported registries
| Registry | URL |
|---|---|
| npm | npmjs.com |
| PyPI | pypi.org |
| crates.io | crates.io |
| Go packages | pkg.go.dev |
| RubyGems | rubygems.org |
| Packagist | packagist.org |
| Pub | pub.dev |
| Hex | hex.pm |
| Hackage | hackage.haskell.org |
Understanding the trust badge
The badge appears next to the package name or version on the registry page.
| Badge | Meaning |
|---|---|
| Green -- Verified | No known vulnerabilities or malicious activity for this version |
| Yellow -- Vulnerabilities | One or more known vulnerabilities for this version |
| Red -- Malicious | This package or version has been confirmed as malicious |
| Gray -- Unknown | The package was not found in the threat intel database, or the query is pending |
The badge reflects the currently viewed version. Navigate to a different version on the registry page and the badge updates to reflect that version's status.
Trust panel
Clicking the badge opens a panel with detailed information.
Vulnerabilities
A list of known vulnerabilities affecting the current version, with advisory IDs, severity, and links to full advisories. Each entry links to osv.dev for complete details.
Maintainers
The number of active maintainers and the most recent publish date. Packages with a single maintainer who has not published in over a year are flagged as potentially abandoned.
Version timeline
A sparkline showing publish frequency across versions. Sudden activity spikes or unusually long gaps between versions are highlighted.
OpenSSF Scorecard
Where available, the package's OpenSSF Scorecard score and the highest-risk individual checks (code review, branch protection, CI, dependency update tooling, etc.).
Provenance
Whether the package version was published with a verifiable build provenance attestation (e.g., npm provenance via GitHub Actions OIDC, or Sigstore for PyPI). Packages with provenance have a stronger chain of custody from source to registry.
Typosquat warnings
If the package name closely resembles the name of a well-known package, the badge includes a typosquat warning. The warning shows the suspected target package name so you can verify you have the correct package.
Example: visiting reqeusts on PyPI would trigger a typosquat warning pointing to requests.
Typosquat detection uses edit distance, keyboard proximity, and homoglyph analysis. False positives can be reported through the extension feedback link.
Configuration
Open the extension options page from the toolbar icon or from your browser's extension management page.
| Setting | Description | Default |
|---|---|---|
| API Key | Your Vekt API key. Required for the full trust panel and to avoid rate limits. | Empty |
| Registry toggles | Enable or disable the extension on individual registries. | All enabled |
| Severity threshold | Minimum severity to show the badge as yellow (warning). Findings below this level still appear in the panel but do not change the badge color. | low |
| Auto-expand panel | Automatically expand the trust panel on page load when findings are present. | Disabled |
Privacy
The Vekt extension is designed to share as little information as possible:
- What is sent: Package name, version, and ecosystem. Nothing else.
- What is never sent: Page content, browsing history, URL paths, other installed extensions, or any personal data.
- When queries are made: Only when you visit a supported registry page. The extension does not run on any other page.
- Storage: Your API key is stored in your browser's local extension storage and is never transmitted to any server other than
kief.dev. - No tracking: The extension does not include analytics, telemetry, or session tracking of any kind.
Each query to the Vekt API includes only:
{
"package": "requests",
"version": "2.31.0",
"ecosystem": "PyPI"
}