Skip to content

Install-time supply-chain triage checks (install-scripts, dep-confusion, slopsquat, lockfile drift) #49

Description

@sandstream

From the kit build-research (2026-06). Top recommendation #2. On-brand: deterministic, zero-LLM, local-first. Concretizes kit's "installs nothing untriaged" triage gate.

Why now

CVE-based scanners structurally miss the hottest supply-chain attacks: H1-2026 alone produced 37 campaigns / 497 packages, often with "0 CVEs". A local install-time triage gate fills the gap. Phoenix Security

Deterministic checks to build

  • Install-script flagging — does this dependency run postinstall/preinstall scripts? npm v12 (July 2026) blocks them by default; OWASP calls --ignore-scripts the single most effective mitigation. npm v12
  • Dependency confusion — internal package name resolving against a public registry. slopsquat+confusion
  • Slopsquat / typosquat heuristics — 19.7% of AI-recommended packages don't exist; 43% of hallucinated names recur deterministically → predictable and registerable at scale. slopsquatting
  • Lockfile pinning / drift — Shai-Hulud pattern: self-replicating credential theft via poisoned republished versions. Shai-Hulud · TanStack/Mini-Shai-Hulud

Positioning

Socket owns behavioral install-time triage but is cloud-backed (analysis runs against socket.dev). A local-first, offline "installs nothing untriaged" gate has no direct equivalent. Socket CLI

Part of the build-research backlog (umbrella links #45, #46, #47).

🤖 Generated with Claude Code

https://claude.ai/code/session_015ERHw6bVUz39sAuoQZ1iyg

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions