Malicious packages, stopped before they ship.
AI coding agents pull in dependencies by the dozen — and attackers now publish malicious packages, typosquats, and hijacked versions built to catch them. A single install runs arbitrary code on a laptop or a CI runner. Heeler defends the whole software supply chain at every stage: before code is written, at the keyboard, at the pull request, and continuously after merge — blocking the known-bad and catching the brand-new.
Supply-chain risk doesn't resolve at a single checkpoint.
A malicious package looks legitimate the moment it's published, sails through a merge check, and only detonates later — on install, in a postinstall hook, or in production. Any single control point misses it. You need coverage across the whole lifecycle.
Weaponized against agents
Attackers publish typosquats and malicious versions timed for the moment an AI agent resolves a fresh dependency — often before any advisory exists.
Install is code execution
A single install runs arbitrary code — obfuscated payloads, C2 callbacks, postinstall hooks — on a laptop or CI runner, before review even starts.
Unpinned means silent
Unpinned dependencies resolve to whatever is newest at install time, so a compromised release can land with no diff and no signal.
Known-bad and never-seen-before.
Two detection methods, one verdict. Known-malicious packages are matched instantly against threat intelligence; brand-new and obfuscated ones are caught by reading the package code itself — so a novel campaign doesn't get a free pass while it waits for an advisory.
Known-malicious, instantly
Every dependency is matched against threat-intelligence and advisory feeds — high confidence, low noise, flagged the moment it's known.
Novel campaigns, caught early
Deep code analysis reads packages for obfuscation, command-and-control calls, suspicious postinstall hooks, and anti-forensics — catching malicious versions before any advisory lists them.
Typosquats & hijacks
Lookalike names and hijacked releases, aimed at the moment an agent resolves a new or renamed dependency, are surfaced for what they are.
Unpinned & unmaintained
The systemic gaps — unpinned dependencies, abandoned packages, missing package-manager controls — that let a compromised version slip in silently.
Blocked at the pull request.
The best malicious package is the one that never merges. PR guardrails enforce policy on your SCM's native checks, and cooldown controls hold back the riskiest releases at the moment they'd install.
Compromised dependency
Any pull request introducing a known-malicious or compromised package is blocked outright.
Minimum release age
A cooldown holds back brand-new releases during the highest-risk window right after publish — start in observe, move to warn, then block.
Unpinned dependency
Flag and enforce version pinning across every repo, so an install can't silently drift onto a compromised release.
Enforced where it installs
Cooldown and pinning apply where packages actually land — developer laptops and CI runners, across the ecosystems your agents pull from.
Your pipeline runs third-party code too.
A GitHub Actions workflow pulls in actions the same way your app pulls in packages — and those actions pull in more actions, usually by a mutable tag and rarely reviewed. The tj-actions/changed-files compromise showed how one trusted action can leak the secrets of thousands of pipelines at once. Heeler treats your workflows as the supply chain they are.
The whole action graph
Heeler parses every workflow, composite, and reusable action, then resolves the transitive tree — following each action into the actions it calls — into an SBOM alongside your app dependencies.
Pinned to a commit, or not
Every action reference is classified: a full commit SHA is pinned; a mutable v3 tag or a branch is not — the difference between a frozen dependency and one an attacker can move under you.
Compromised & malicious actions
The tj-actions class of attack — a trusted action turned backdoor — is matched against a dedicated actions advisory feed and blocked.
Typosquats & impostor commits
Look-alike action names, and fork-only commits that were never reachable from the real repository, are surfaced before they ever run.
Publisher & repo trust
Marketplace verification, publisher age, provenance attestations, archived repos, and OSSF Scorecard signals — dangerous workflows, over-privileged tokens — fold into each action's trust score.
Gated at the pull request
New unpinned, compromised, or low-trust actions are warned or blocked at the PR — without failing on the actions already in your pipelines.
A safe version to move to — not just an alert.
Finding the bad package is half the job. Heeler computes the deterministic remediation: the known-good version that clears policy, validated so the fix doesn't reintroduce risk.
The right version, chosen for you
Remediation targets a known-good release that clears policy — including your minimum-age setting — so the upgrade doesn't trade one risk for another.
Deterministic and validated
Upgrades are computed and compile-checked, not guessed — the same deterministic remediation that fixes vulnerable dependencies.
Burns down the backlog
Compromised and risky packages already in your tree are grouped and remediated, not just the net-new ones.
One program, five points of control.
Supply-chain risk doesn't resolve at one checkpoint, so Heeler covers every stage the code moves through — from the agent that picks a package to the workflow that routes the response.
Posture, continuously
Systemic gaps — unpinned dependencies, unmaintained packages, missing controls — surfaced before any single package goes bad.
Agent skills, before code
The skills and guidance your AI agents run are vetted, so risky package choices are steered out before code is written.
CLI, at the keyboard
Malicious and high-risk dependencies are caught locally, pre-PR — the same checks your agents run.
Guardrails, at the PR
Known-bad and newly published high-risk versions are blocked at the pull request, on your SCM's native checks.
Workflows, after merge
The response is automated — routed to the owning team, ticketed, and messaged to Slack or Teams, including retroactively for what's already merged.
See what your dependencies are really pulling in.
A demo runs Heeler across your repos — surfacing the malicious, compromised, and unpinned packages already in your tree, each with the safe version to move to.
