Hey PH 👋 I'm Eran, co-founder/CTO at Arnica. Whether you are a professional developer or a "vibe coder" you probably got news from social media or a friend about compromised packages, probably you heard about the recent tanstack issue, or axios, and if not, that's ok, I'll explain why it's important. If you are a professional developer and knows what is npm, what is a supply chain attack, and what are cooldowns, and just want to have best practice configuration on your laptop just go to https://depsguard.com, install, click next, and you'll be protected. If you are a vibe coder and don't care about all the explanation and just want to protect yourself, do the same as above :) For vibe coders: When Cursor or Claude Code runs npm install, it's downloading code from strangers onto your laptop and running it. A typical project pulls in around 1,500 of these packages. That code can read your API keys, AWS credentials, and crypto wallets. Lately, attackers have been hijacking popular package maintainers' accounts and publishing malicious versions. Those versions get removed within hours, but those hours are enough to hit thousands of laptops. DepsGuard tells your package manager to ignore anything less than 7 days old, so the bad versions are removed before you'd ever touch them. For professional developers: You know the drill. axios, @tanstack, Bitwarden CLI, Shai-Hulud, same shape every time: account compromise, malicious version, 3-hour window, removal, repeat next month. Every modern package manager (npm, pnpm, yarn, bun, uv) now ships with a release-age delay. pnpm latest defaults to 1 day. Most teams don't have any of these on because they shipped quietly in the last year. DepsGuard checks your user-level configs and your repos, shows what's missing across all five managers plus Renovate and Dependabot, previews the diff, applies it, keeps a backup. This was created as a service to the community, free forever, MIT license (this means you can use it for free, modify it, even sell it if you want) Got to https://depsguard.com to protect yourself now!

DepsGuard

Configure once, prevent the next compromised package install

Configure once, prevent the next compromised package install