Supply chain risk scoring for npm, PyPI, Cargo, and Go. 9 tools. Behavioral signals.
Stars lie. Behavioral signals don't. An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on behavioral commitment — signals that are harder to fake than stars, READMEs, or download counts. flags none of these. They're not vulnerabilities — they're attack-surface concentration. One stolen npm token, one phished maintainer, and a single push…
Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.
Stars lie. Behavioral signals don't. An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on behavioral commitment — signals that are harder to fake than stars, READMEs, or download counts. flags none of these. They're not vulnerabilities — they're attack-surface concentration. One stolen npm token, one phished maintainer, and a single push reaches the whole ecosystem (axios, March 30 2026 — happened). 26 of the 91 npm packages with >10M…