
Jeff Rogers
Security engineer building supply-chain defense tools. Paste a lockfile, know in seconds if the latest npm attack hit you.
Joined July 2026
ACTOR STATS
3 public Actors
6 total users
1 monthly user
81.8% runs succeeded
I'm Jeff — a security engineer who got tired of watching teams grep lockfiles against vendor blog posts at 11pm every time an npm supply-chain attack hit. This year alone: axios, node-ipc, Red Hat's npm scope, 140+ Mastra packages. The pattern isn't slowing down.
The 30-second answer to "are we affected?"
- Paste a
package-lock.json,yarn.lockorpnpm-lock.yaml(or a GitHub URL) — get a verdict in seconds - Reports malicious packages only (OSV
MAL-*advisories) — "you are compromised, act now", never CVE noise, so it works as a CI gate - Major incidents come enriched with hand-maintained response context: what the payload does, what to hunt for beyond the package, and the primary write-ups
- Privacy by default: packages from private registries are never sent to any external API — your internal package names stay yours
- No install, no signup with a security vendor. Works from a browser, CI, or as an MCP tool for your AI agents
New incidents are tracked continuously and enrichment ships the day they break.
Dependable event-data Actors — ExpoFP and Expocad exhibitor list scrapers with daily health monitoring.
Found an issue or need a feature? Open an issue on the Actor's Issues tab — I read every one.