Package metadata across NPM, PyPI, Docker.
Search package metadata, suspicious publish behavior, typosquat candidates, and dependency-confusion signals before they become customer-specific findings.
PACKAGE INDEX
Representative records
| Ecosystem | Package name | Version | Status | First seen | Last verified |
|---|---|---|---|---|---|
| npm | @bleedwatch/scanner-cli | 3.7.1 | Clean ✓ | 2026-04-12 | 2026-05-07 |
| npm | @bleedwotch/scanner-cli | 1.0.2 | Typosquat ⚠ | 2026-04-30 | 2026-05-07 |
| npm | @internal-package/api-client | 0.1.4 | Dep-confusion ⚠ | 2026-04-26 | 2026-05-06 |
| pypi | fastapi-authz | 0.9.4 | Clean ✓ | 2026-03-21 | 2026-05-07 |
| pypi | reqeusts-oauth | 2.31.8 | Typosquat ⚠ | 2026-04-19 | 2026-05-07 |
| pypi | cloud-token-tools | 4.2.0 | Malicious ✗ | 2026-05-02 | 2026-05-07 |
| docker | ghcr.io/bleedwatch/api | prod-2026-05-01 | Clean ✓ | 2026-04-01 | 2026-05-07 |
| docker | docker.io/bleedwatch-prod/api | latest | Dep-confusion ⚠ | 2026-04-29 | 2026-05-07 |
| docker | registry.example.com/frontend | canary-91 | Typosquat ⚠ | 2026-04-24 | 2026-05-06 |
| npm | linear-webhook-tools | 0.6.5 | Clean ✓ | 2026-03-09 | 2026-05-07 |
| pypi | stripe-events-lite | 1.4.1 | Clean ✓ | 2026-02-28 | 2026-05-05 |
| docker | ghcr.io/acme/worker | sha-9f42c1 | Malicious ✗ | 2026-05-04 | 2026-05-07 |
How packages are flagged.
Public records are promoted only after multiple signals line up or a verified report confirms the suspicious package behavior.
Pattern matching
Registry names, README language, install scripts, and source URLs are compared against known impersonation and abuse patterns observed across public advisories.
Dependency-confusion heuristic
Public package names are scored when they resemble internal namespace conventions, private registry paths, or build metadata that should not resolve from the public internet.
Maintainer anomaly
New maintainers, abandoned projects, sudden publish bursts, and mismatched repository ownership are treated as risk signals until verified against known-good metadata.
Community reports
Researcher submissions and customer reports are normalized into the same evidence model, then deduplicated before a package is promoted into the public index.
SEARCH
Looking for a specific package?
Search public advisories, package records, hashes, and supply-chain patterns from one intel surface.