Dependency Supply Chain Monitor avatar

Dependency Supply Chain Monitor

Pricing

from $60.00 / 1,000 package checkeds

Go to Apify Store
Dependency Supply Chain Monitor

Dependency Supply Chain Monitor

Pricing

from $60.00 / 1,000 package checkeds

Rating

0.0

(0)

Developer

Kostiantyn Pavlenko

Kostiantyn Pavlenko

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 days ago

Last modified

Share

npm & PyPI Supply Chain Monitor

Monitor your npm and PyPI packages for supply chain attacks — typosquats, hijacked maintainer accounts, surprise deprecations, license changes, and new or yanked versions — automatically, on a schedule. This npm and PyPI supply chain monitor gives security and platform teams an early-warning feed for the packages they depend on (or the package names they publish and want to protect) for a few cents per check, instead of a per-developer SaaS seat like Snyk ($25/dev/mo).

It is a stateful monitor, not a one-off scraper: every run is compared against the previous run, so you get what changed, not a re-dump of the registry. It runs entirely on the official npm and PyPI APIs — no AI cost, no proxy cost, no npm account.

Why it catches what Snyk and OSV/CVE monitors miss: most 2026 supply-chain attacks ship with zero CVEs — a typosquat or a hijacked maintainer account is not a disclosed vulnerability, so tools that watch CVE feeds (Snyk, Dependabot, OSV.dev monitors) never see it. Recent proof: the Mastra → easy-day-js typosquat (Jul 1, 2026), the 17-package Paysafe/Skrill/Neteller typosquat cluster (Jul 7, 2026), and the self-propagating Mini Shai-Hulud worm across npm and PyPI. This actor watches the attack signals themselves — new look-alike names and maintainer changes — not just the CVE list.

How does npm and PyPI supply chain monitoring work?

  • Detect typosquats — scan npm and PyPI for newly-published look-alike names within a set edit distance of your packages (the classic malware-delivery vector behind attacks like the colorama → colorizr PyPI campaign).
  • Catch maintainer takeovers — get alerted the moment an owner or maintainer is added or removed, the strongest account-hijack signal.
  • Track new versions — know within one run when a dependency ships a release, so you can review it before it lands in your build.
  • Spot deprecations and yanks — surface npm deprecations and PyPI yanked releases as soon as they happen.
  • Watch license drift — flag a surprise relicense before it becomes a compliance problem.
  • Diff every run — persistent snapshots mean you only see changes, never noise.

Why use this instead of Snyk, Socket, or a CVE/OSV monitor?

CapabilityThis ActorSnyk / DependabotSocketOSV / CVE monitorsPyPI/npm scrapers
Cost~$0.06 / package / run$25/dev/mo+Per contributorVariesPer result
Catches 0-CVE attacks (typosquat, takeover)YesNoPartialNo (CVE-only)No
Typosquat name detectionYesNoPartialNoNo
Maintainer-takeover alertsYesLimitedYesNoNo
Stateful run-over-run diff (not a re-dump)YesYesYesYesNo
Watch package names you don't installYesNoNoNoYes
npm + PyPI in one runYesYesYesYesUsually one
No seat / account requiredYesNoNoVariesYes

Snyk and Socket are full org-wide SCA platforms priced per developer or contributor; OSV/CVE monitors and the PyPI/npm dependency-intelligence scrapers on the Store either watch known vulnerabilities or dump metadata one run at a time. This actor does something none of them do: it diffs supply-chain integrity signals run-over-run — new look-alike names and maintainer changes — for exactly the packages you name, including ones you don't install (like your own published package names), for pennies per check.

What can you monitor on npm and PyPI?

  • Version changes — every new version with its publish timestamp, plus latest-vs-previous tracking.
  • Security signals — added or removed maintainers (takeover), newly deprecated versions (npm), newly yanked releases (PyPI).
  • Legal and compliance — a package's license value changing between runs.
  • Typosquats — look-alike package names with their edit distance, alerting only on names that are new since the last run so you aren't re-pinged about known ones.

How to use the supply chain monitor

  1. Add your packages — list them as registry:name (for example npm:express, npm:@babel/core, pypi:requests), or point the actor at a package.json or requirements.txt URL to watch an entire project at once.
  2. Choose what to watch — toggle versions, deprecations, license, maintainers, and yanks, and set the typosquat edit distance (default 2).
  3. Run once for a baseline — the first run records a snapshot and reports no changes by design.
  4. Schedule it — hourly or daily; every later run reports only what changed.
  5. Wire up alerts — connect Apify's Slack, webhook, or email integrations to push changes straight to your team.

How much does supply chain monitoring cost?

Pricing is pay-per-event: you are charged per package checked per run. No subscription, no proxy fees, no AI surcharge.

Packages watchedScheduleApprox. monthly cost
10Daily~$18
25Daily~$45
50Weekly~$12

Compare: Snyk starts at $25 per developer per month and Socket bills per contributor — both priced for an entire engineering org. This actor watches just the packages you care about for a few cents per check, with no seats to buy.

Input example

{
"packages": ["npm:express", "npm:@babel/core", "pypi:requests"],
"manifestUrls": ["https://raw.githubusercontent.com/acme/api/main/package.json"],
"watchTyposquats": true,
"typosquatDistance": 2,
"checkNewVersions": true,
"checkDeprecations": true,
"checkLicenseChanges": true,
"checkMaintainerChanges": true,
"checkYanked": true
}

What does the output look like?

{
"package": "express",
"registry": "npm",
"latestVersion": "5.2.1",
"previousLatestVersion": "5.2.0",
"isFirstRun": false,
"checkedAt": "2026-07-09T12:00:00.000Z",
"summary": {
"latestVersion": "5.2.1",
"totalVersions": 312,
"maintainers": 3,
"license": "MIT",
"typosquatsWatched": 2,
"changesDetected": 2
},
"changes": {
"newVersions": [{ "version": "5.2.1", "publishedAt": "2026-07-08T09:12:00Z" }],
"deprecations": [],
"licenseChanges": [],
"maintainersAdded": [],
"maintainersRemoved": [],
"yankedReleases": [],
"newTyposquats": [{ "name": "expres", "distance": 1 }]
},
"currentlyDeprecatedVersions": [],
"currentlyYankedVersions": [],
"typosquats": [
{ "name": "expres", "distance": 1 },
{ "name": "expresss", "distance": 1 }
]
}

Who uses the npm and PyPI supply chain monitor?

  • AppSec engineers — a lightweight, schedulable supply-chain watch feeding Slack or a SIEM, covering the packages that matter most without a full SCA rollout.
  • Platform and DevEx teams — get told when a production dependency deprecates, relicenses, or changes maintainers before it breaks a build.
  • Open-source maintainers — protect your own package name by watching for typosquats and impersonators the day they appear.
  • Engineering managers — a cheap, auditable record of dependency and ownership changes across a portfolio of critical packages.
  • Security researchers — track maintainer and version churn across npm and PyPI to spot suspicious activity early.
  • Compliance and legal teams — catch license drift on dependencies before it turns into a licensing violation.

Frequently asked questions

How do you detect typosquatting in npm and PyPI? For each package you watch, the actor scans the registry for names within a chosen Levenshtein edit distance (default 2) and reports look-alikes that are new since the last run — the same technique used to catch malicious clones like expres or python-requests impersonators.

How can I get alerted when an npm package is deprecated? Add the package to your watch list and keep checkDeprecations on. When any version is newly marked deprecated on npm, it appears in that run's deprecations array; wire an Apify integration to push it to Slack or a webhook.

Can I monitor PyPI for malicious or yanked packages? Yes. On PyPI the security-relevant signals are yanked releases and maintainer changes; both are tracked per run, alongside typosquat scanning against the full PyPI project index.

How do I know if an npm package changed maintainers? Maintainer add/remove is diffed every run and reported in maintainersAdded / maintainersRemoved — the classic account-takeover indicator behind many recent supply-chain incidents.

Does this need proxies or an npm account? No. It uses the public npm registry and PyPI JSON APIs, which have no anti-bot and require no login, key, or proxy.

Does it use AI? No. Typosquat detection is pure edit-distance math and everything else is JSON diffing, so there are no model API costs.

Which registries are supported? npm and PyPI today. RubyGems and other ecosystems are on the roadmap.

How is this different from Snyk or Dependabot? Snyk and Dependabot focus on known CVEs and version bumps in repos you own. This actor focuses on supply-chain integrity signals — typosquats, maintainer takeovers, deprecations, yanks, license drift — for any package names you choose, including ones you only want to watch, not install.

How is this different from an OSV.dev / CVE vulnerability monitor? CVE and OSV monitors alert on disclosed vulnerabilities — but a fresh typosquat or a hijacked maintainer account has no CVE, often for days or forever. This actor watches the pre-CVE attack signals (new look-alike names, maintainer add/remove) so you're warned before anything reaches a vulnerability feed.

How is this different from the PyPI/npm scrapers on the Store? Those return a metadata snapshot each run (dependencies, versions, maintainer contact info). This is a stateful monitor: it stores each run and reports only what changed since last time, and it adds typosquat and takeover detection those scrapers don't perform.

Limitations

  • The actor detects metadata changes (versions, license, maintainers, typosquats); it does not download or statically analyze package code.
  • Deprecation flags are an npm concept; on PyPI the equivalent signal is a yanked release.
  • PyPI typosquat scanning uses the full project index (~850k names) cached for 24 hours, so the first PyPI scan in a day takes a few extra seconds.
  • npm typosquat candidates come from registry search relevance, so extremely obscure squats may not surface until they are indexed.
  • The first run for each package is a baseline and intentionally reports no changes.