A continuous analysis engine for the supply chain — every newly published package, extension, and marketplace artifact is fetched, the delta to the previous version computed, and a kill-chain verdict rendered. Typosquats, injected install hooks, obfuscated droppers, and compromised dependencies, caught as they ship.
Analyses run
Active malicious
Suspicious
Compromised versions
Malicious by dependency
Analysed last 24h
Package registries, extension stores, IDE & AI marketplaces, and build pipelines — one analysis engine across all of them.
A SKILL.md is instructions your AI agent will follow — and code it may run. Nithic scans every agent skill and instruction file (SKILL.md, CLAUDE.md, AGENTS.md, Cursor & Copilot rules) locally, on the box, before it ever loads — for prompt-injection and bundled payloads. — public skills scanned and counting.
Text that tries to override the agent's system prompt or your operator policy — "ignore all previous instructions", impersonating the system or developer role.
Steps that read credentials (.env, .aws, .ssh, tokens) and ship them outward — the steal-and-send kill chain, whether in prose or a bundled script.
Whole-home or system destruction smuggled into an innocuous-looking "setup" step.
Skills that steer the agent into dangerous tools — shell, file delete, money movement — well beyond their stated purpose.
"Download this and do what it says" — pulling a second-stage payload or instruction set from a remote host at run time.
Invisible and look-alike characters that conceal an instruction from a human reviewer — but not from the model.
Bundled scripts get the same shell-payload kill-chain analysis as supply-chain packages. Clean skills never leave your machine — only a flagged one is sent for deeper cloud + LLM review. The same sensor watches the MCP servers your agents connect to, risk-classifying every tool call and blocking the dangerous ones by policy.
The most recent malicious packages flagged by the engine. inherited = own code is clean but it pulls in a compromised dependency.
Inheritance and delta analysis turn isolated detections into mapped campaigns.
easy-day-js dropperA dayjs typosquat shipping the real library verbatim alongside an injected, obfuscated postinstall that downloads bss.exe from a throwaway Cloudflare tunnel and runs it. Caught on publish by the obfuscation + auto-exec kill chain.
@mastra publish waveEight @mastra/* packages, each published one patch above the current release, each injecting easy-day-js as a dependency — then pulled from the registry. Dependency inheritance flagged all eight as malicious-by-dependency while their own code stayed clean.
The headline supply-chain pattern: a trusted package that newly introduces a self-damning act in a single version. Delta-weighted scoring surfaces the change, not just the capability.