Threat Feed

Live stream of malicious and suspicious open-source packages flagged by Nithic's supply-chain analyzer — 200+ static detectors across the npm, PyPI, crates.io, RubyGems & Go firehose. Look up any package.

Verdicts are Nithic's own automated static analysis of publicly published packages, shown for transparency and research. A flag is not a definitive judgment of intent; “suspicious” means risk indicators warrant review. Package names/code are public; no private data is shown.