ModuleWarden is the policy layer between your developers and npm. Every version, every install, audited in an isolated sandbox before it lands in your codebase.
Free for OSS. No credit card. Self-host or cloud.
Real incident, real package. postmark-mcp v1.0.16, Sep 2025 · ~1,500 weekly downloads at time of compromise.
malicious npm packages
Sonatype, Q2 2025
YoY growth in attacks
Sonatype Open-Source Malware Index
median dwell time
Compromise to first install
audit logs by default
npm install gives you nothing
SCA tools flag known CVEs. Endpoint scanners look at what is already installed. By the time either fires, the malicious tarball is in your node_modules/, your environment variables are in someone else's S3 bucket, and your incident response clock is ticking.
A CVE gets assigned after the attack is public. You get blocked from a malicious version that already shipped to production.
Bumblebee, EDR, runtime scanners. All useful. All look at packages after they are on disk, after the postinstall script ran.
The right time to block a malicious package is before it executes. ModuleWarden enforces that gate without slowing down legitimate work.
ModuleWarden runs between your package manager and the registry. Every npm install routes through the gate. The gate runs a bounded audit. The audit produces a decision. Your CI either gets the package or gets a clear reason it was blocked.
Each audit reviews version N to N+1 of one package. Not the 3M-package npm ecosystem. The signal-to-noise actually works in our favor.
Attackers cannot game what they cannot see. Your review criteria live in your org. We never publish them. Each customer's rubric drifts independently as new attack patterns emerge.
The audit runs in a one-shot Docker container with no network, no host mounts, no secrets. Even if the package is actively malicious, the blast radius is zero. The container terminates, the verdict ships, the harness disappears.
Allow, quarantine, or block. Every decision streams to your SIEM with the reasoning, the diff, and the policy that fired. Your auditors will have actual answers.
developer / CI runner │ │ npm install foo@2.1.0 ▼ ┌──────────────────────────┐ │ ModuleWarden Gate │ │ (Verdaccio + policy) │ └────────────┬─────────────┘ │ ├─ fetch v2.0.4 (last allowed) ├─ fetch v2.1.0 (proposed) │ ▼ ┌──────────────────────────┐ │ Audit Container │ │ Docker · no net · 1-shot │ │ Bounded diff + rubric │ └────────────┬─────────────┘ │ ▼ ┌──────────────────────────┐ │ Policy Decision │ │ + audit log > SIEM │ └────────────┬─────────────┘ │ ┌───────┼────────┐ ▼ ▼ ▼ allow quarantine block │ │ │ └─> Slack approval (one click) ▼ tarball > cache > developer
Perplexity's open-source endpoint scanner feeds ModuleWarden your installed-package inventory from every developer laptop and CI runner. Baseline risk score, org-wide, in one shot. The two tools are built for each other.
Splunk, Datadog, Sumo, Elastic, raw webhooks. Every decision, every approval, every override. Compliance auditors get a real trail. Security ops get real signal.
# self-host the gate $ docker run -p 4873:4873 -v mw-data:/data ghcr.io/modulewarden/gate:latest # point npm at it $ npm config set registry http://localhost:4873/ # or cloud (early access) $ npm config set registry https://gate.modulewarden.com/your-org/
Free for open source. Flat per-developer pricing for teams. No per-audit metering, no surprise bills after an incident.
No. SCA tools tell you which already-installed packages have known CVEs. ModuleWarden gates each install request before it executes. Different position in the stack, different problem solved. Use both.
Allowed versions are cached. Repeated installs hit the cache, sub-100ms. New-version installs add ~3-8 seconds for the audit. Quarantine is async, the install resolves with a clear "pending approval" message, and your CI gets a one-click resume from Slack.
False positives are reviewed by your approver in one click. False negatives are caught by the rule layer (static analysis runs in parallel with the model audit, and either can fail the policy). The model is one input. Your policy is the source of truth.
Self-host: nothing leaves your network. Cloud: only public-registry packages are audited against our hosted LLM. Private packages stay in your perimeter via the bring-your-own-endpoint option on Enterprise. Your rubric and your decisions are encrypted at rest with a customer-held KMS key.
Your developers would mutiny. The gate is calibrated for low false-positive rates by design. The point is to keep developers fast while raising the floor on what gets through.
npm first. The architecture is registry-agnostic; PyPI is on the immediate roadmap, RubyGems and cargo follow customer demand. Email us about your ecosystem and we will prioritize accordingly.
We are rolling out to design partners now. Tell us about your stack and we will be in touch within 24 hours.
No credit card. No spam. We respond within one business day.