Launching today
Koidex
Know if a package, extension, or AI model is actually safe
300 followers
Know if a package, extension, or AI model is actually safe
300 followers
Koidex helps you answer one question fast: "Is this safe to install?". Search extensions, code packages, and AI models across VS Code, JetBrains, npm, and Hugging Face. You can also install the Koidex IDE extension for real-time background scanning in Cursor and Windsurf. Free, no setup.
Koidex
👋 Hey Product Hunt! I’m Amit, Co-founder of Koi.
Today we’re launching Koidex. It helps you quickly check whether a package, extension, or AI model looks safe before it enters your stack.
Try it here: Koidex → https://dex.koi.security/?ref=producthunt
📖 Why We Built It
We’re the research team behind the discoveries of GlassWorm, ShadyPanda, and PhantomRaven, and we’ve seen how easily malicious code hides in “normal” developer tooling.
To prove how fast these blind spots get targeted, we ran a blunt test: we published a harmless lookalike VS Code theme and saw installs from large-company networks within 30 minutes. The industry knows these threats exist, but workflows haven’t changed. That was the moment we realized: “one-click install” needs “one-click due diligence.”
💡 What You Can Do With Koidex Today
🔍 Unified Search: One place to check VS Code, Chrome, JetBrains, npm, and Hugging Face, and more.
🧠 Behavior-Based Scoring: Focuses on what the code actually does, not just what the listing claims.
🧾 Readable Risk Summaries: Vulnerabilities, deep dependencies, permissions, and publisher signals.
🐟 Catch of the Day: Fresh suspicious or malicious items spotted in the wild.
👨🏻💻 Koidex IDE Extension: Scans installed extensions and flags risky installs in real time across VS Code, Cursor, Windsurf, VSCodium, and more.
🎁 Product Hunt Launch Offer
First 200 registrants via the Product Hunt link get unlimited searches for 2 weeks. Sign up here: https://dex.koi.security/?ref=producthunt
🙏 What I’d Love Feedback On
What ecosystem should we evaluate next?
What’s the one signal you wish you had before installing something?
If you try it, drop a package, extension, or model you use and tell me if the rating matches your gut.
I’m here in the comments!
This is the first time I can quickly sanity check an extension without falling into a rabbit hole. Nice job. Do you update scores automatically when an extension releases a new version?
Koidex
Thanks @amit_ganzi, glad you found it useful :)
Yes, we update scores as new versions are published. Quick question: would you rather get notified only on score changes, or also on specific signals (new permissions, new network behavior, etc.)?
I installed the IDE flow in Cursor and it instantly showed a couple extensions I forgot I even had. That alone is worth it. Does it alert when an extension updates and changes behavior?
Koidex
Amazing, thanks @netta_zohar2!
We re-evaluate extensions as new versions roll out, so ratings update over time. Alerts on updates/behavior changes are next on our list. What kind of alert would be most useful for you: score change, permission change, or behavior change?
How does it exactly work? I tried to input name of a chrome extension but it said "No items found matching your search". Does that mean it is not safe?
Koidex
Hey @zerotox - thanks for checking it out 🙏
“No items found” doesn’t mean it’s unsafe. It just means we didn’t find a match for that search in the source you selected.
Which Chrome extension were you looking for (name or link)? If you drop it here, I’ll help you find it (and if it’s missing, we’ll add it).
@dnslavin It didn't work earlier, but I tried again now and it worked. Thank you.
Koidex
@zerotox amazing 😊
ConnectMachine
Interesting. How do you find what is suspicious and what is safe though? What tech are you using on the backend? Asking to check the reliability.
Koidex
@syed_shayanur_rahman - great question! We don’t rely on a single signal.
Koidex scores risk using a mix of static + behavioral signals: permissions and capabilities, suspicious patterns (obfuscation, unusual install/update behavior), dependency and publisher signals, and known bad indicators. We also re-check items over time as versions change.
On the backend, it’s a pipeline that pulls listings + versions, runs analysis, and produces the score + explanation.
Great launch!!!!!!! This is one of those “why doesn’t this already exist” products. Curious how you detect suspicious behavior without running the code on my machine?
Koidex
Thanks @shoval_a !! 🙌 Love hearing that.
We don’t need to run anything on your machine. We analyze the listing and its code server-side and look for a mix of signals, for example: permissions/capabilities, suspicious code patterns (obfuscation, risky APIs, install/update hooks), dependency and publisher signals, and known bad indicators.
elasticode
Love the “Catch of the Day” concept. How often is it refreshed, and what qualifies something to show up there?
Koidex
@nogahsenecky Thanks! 🙌
Catch of the Day refreshes daily (and we’ll occasionally push mid-day updates when something high-confidence pops). An item shows up there when it trips our highest-risk signals, for example: suspicious permission combos, obfuscation / unusual code patterns, suspicious network behavior, or strong publisher / ecosystem indicators (like lookalikes or sudden changes).