Know if xrpl.js
is flagged.
Block zero-day supply-chain attacks early, before they ever reach a build.
Every source, one signal.
Adopt one piece, or the whole stack
Verifi CLI
An open-source CLI to scan packages and projects from your terminal and CI. It runs the Verifi detection engine.
Verifi Firewall
A registry proxy that blocks bad packages before they install. It sits in front of Nexus or Artifactory, or runs standalone.
Verifi Intel
A threat-intelligence corpus, public research, and a feed and API. It also powers this site's research and blog.
Verifi CodeFix
Verified patches and fixes for vulnerable and malicious packages, consumed by automation.
Verifi Workflows
Automated remediation and supply-chain incident response. A vertical SOAR built for the supply chain.
Recently caught in the wild
Real supply-chain attacks from the corpus Verifi is built on, not hypotheticals.
Malicious dependency injected after a maintainer handoff, targeting crypto wallets.
Maintainer account hijacked; compromised versions dropped a cryptominer and credential stealer.
Account takeover led to a malicious postinstall script across multiple versions.
Compromised release exfiltrated environment variables, including cloud credentials.
Published alongside coa in the same account-takeover incident with an install-time payload.
Backdoored release attempted to drain private keys from wallet integrations.
What is behind every result
Every result separates what we found in the package itself from what we know about the broader campaign, so you know how much to trust it.
Malicious package detection
Matched against OSSF, DataDog, and GitHub threat feeds to flag packages with confirmed malicious code, plus novel analysis for the attacks no feed has listed yet.
Known vs novel malwareVulnerability matching
CVEs and GHSAs mapped to the exact affected version ranges, not just the package name, then filtered by what is reachable in your code.
Reachability, explainedIOC and campaign attribution
File hashes, C2 domains, and MITRE ATT&CK TTPs tied back to known supply-chain campaigns.
Indicators of compromiseAutomated response
Block it at the registry proxy, open a fix PR, or alert your team. The right action, decided by policy, not just a verdict.
AutomationRead up on the threat landscape
Mini Shai-Hulud: The Self-Replicating npm Worm That Should Change How You Think About Dependencies
The fourth campaign in the Shai-Hulud series has arrived. Mini Shai-Hulud targets SAP packages, TanStack and agentic AI libraries with a self-propagating worm that steals credentials, injects malicious code and spreads across your entire CI/CD estate before your scanner has filed a ticket.
Adversaries Are Publishing at Scale. Speed Is Now the Only Defence.
A corpus of roughly 1,000 malicious packages impersonating TanStack libraries surfaced recently via jsDelivr telemetry. It is not an anomaly. It is the new baseline. The only meaningful response is to act faster than the blast radius can spread.
Known vs Novel Malware in Dependencies
Why matching against known-bad lists isn't enough, and what catching novel threats actually takes.
What Is a Registry Firewall?
Stop malicious packages before they're ever installed, by vetting at the registry layer.
Reachability Analysis, Explained
Most "critical" vulnerabilities never run in your app. Reachability tells you which ones do.
Software Supply-Chain Security 101
What the software supply chain is, how it gets attacked, and how to defend it.
Built for teams
who ship fast
Drop Verifi into CI, your repos, or your registry proxy, and stop malicious packages before they ever reach a build.