supply-chain-defense

Installation
SKILL.md

Supply Chain Defense

Proactive, behavioural-first defense against the 2026 software supply chain threat: self-propagating worms (Shai-Hulud / Mini Shai-Hulud) that poison popular npm and PyPI packages, steal credentials, republish from stolen tokens, and inject persistence hooks into Claude Code and VS Code settings specifically.

Helps with

Every install or version bump is a use case for this skill, not just suspected attacks — the routine cooldown gate + behavioural score is the whole point.

Deciding whether a dependency you're about to add is safe — getting a behavioural verdict on an npm or PyPI package before npm install / pip install, not days later when a CVE drops. socket package score, the depscore MCP, or scripts/preinstall-check.sh.

A teammate or CI just pulled a freshly-published package version and you need to know if it's poisoned. The Shai-Hulud / Mini Shai-Hulud worm ships malicious versions that live for only hours (axios 1.14.1 / 0.30.4 were live ~3h).

Installs
10
GitHub Stars
24
First Seen
May 26, 2026
supply-chain-defense — 0xdarkmatter/claude-mods