Supply-chain protection across every package manager
npm, pip, Cargo, Bun, and more. Every install on your laptop, in CI, and in production runs through nproxy — malware, CVEs, and risky config never reach disk.
Real supply chain incidents across package ecosystems
nproxy puts policy checks directly in your package install path, so risky versions can be blocked or warned before they land in developer and CI environments.
245K+
Malicious packages discovered across all ecosystems in 2023
Sonatype reported over 245,000 malicious packages across all ecosystems in 2023, with npm and PyPI as the primary targets.
8M
Weekly downloads exposed in the event-stream compromise
event-stream was pulling roughly 8 million weekly downloads when the compromise was uncovered.
24M
Weekly downloads exposed in the ua-parser-js hijack
Compromised ua-parser-js versions reached a package with roughly 24 million weekly downloads.
Sources: Sonatype State of the Software Supply Chain (2023 update), Snyk event-stream incident analysis, and incident reporting on ua-parser-js compromise.
Run this in your project directory. It writes .npmrc for you.
nproxy applies eight policy rules across local dev, CI, Docker, Kubernetes, and cloud platforms. Risky packages are stripped before they reach your build.
Deploys only pass when package, security, env, and binding policy is satisfied. Every allow, block, deploy, and config event is recorded.
Source, install, and retirement decisions stay connected — one record for policy, approvals, and evidence.
Blocks packages flagged as known malware by Socket.dev across all supported ecosystems.
Catches: Trojans, cryptominers, credential stealers
Can block versions published within the last 7 days, giving the ecosystem time to vet new releases.
Catches: Zero-day supply chain attacks, typosquats
Warns when a new version adds dependencies that were never part of the package before.
Catches: Dependency injection attacks (event-stream)
Warns when a package version is published by a different maintainer than previous versions.
Catches: Account takeovers, social engineering transfers
Warns when a package includes preinstall, postinstall, or other lifecycle scripts.
Catches: Arbitrary code execution during install
Warns when a package's overall Socket.dev risk score falls below the configured threshold.
Catches: Low-quality, abandoned, or suspicious packages
Blocks packages with known critical or high severity CVEs from the OSV database. Configurable severity threshold.
Catches: Known exploitable vulnerabilities in dependencies
Warns or blocks packages with specific licenses or no license at all. Configurable blocked license list.
Catches: GPL in proprietary codebases, unlicensed code
Patterns from real attacks, mapped to nproxy rules.
A trusted package account is compromised and a malicious release is published by a different maintainer identity.
A lookalike package name appears and publishes quickly before normal ecosystem vetting catches up.
A new package version adds dependencies that were never present in prior releases and introduces unexpected runtime behavior.
Lifecycle scripts execute during install and create arbitrary code execution risk on developer and CI machines.
Known malicious indicators are matched from external intelligence feeds and policy can block package retrieval.
A package or version drops below your configured trust threshold and policy can warn or block based on your rule settings.
Run the setup command to prove package policy locally. Create an org when you are ready to enforce shared CI, deploy, and audit policy.
npx @nproxy/cli setupNeed CI gates, production enforcement, audit logs, or shared rules? Create an org.
Writes .npmrc with the local proxy registry
registry=http://127.0.0.1:4873/One policy layer covers package installs, deploy gates, runtime configuration, and identity. Env vars still work — bindings just make them typed, auditable, and policy-controlled.
Block deploys when package, CVE, license, env, or binding policy fails. Wires into CI, Docker builds, Kubernetes admission, and cloud platforms.
Bindings sit beside normal env vars and make production config typed, auditable, and policy-controlled. Required keys, allowed values, and audit on access.
Every install, deploy, blocked package, and config read traced to a specific user and surface. Filter, search, and export to CSV or SBOM.
Real-time alerts when packages are blocked or deploys gated. Routed to org admins with rule details and a direct link to the audit log.
Connect Okta or any SCIM 2.0 IdP. Users and API tokens are provisioned automatically. Offboarding means instant revocation.
Push client certs via MDM, host private packages alongside public ones. Same registry config, same install command. Stored in R2 with org-level isolation.
Deploy via MDM. Certs, tokens, and registry configs pushed to every machine. Developer does nothing.
Free for local dev. Paid plans add CI and production deploy enforcement, team audit logs, and policy controls.
Local proxy. Individual use.
Solo owner. Private policy.
Everything in Free, plus
2–10 engineers. Production enforcement.
Everything in Pro, plus
Up to 100 engineers. Cloud + identity.
Everything in Team, plus
Enterprise · from $10k/year
SCIM provisioning, mTLS device auth via MDM, internal package hosting, custom registry support, dedicated SLA.