Show HN: Computer Police – block malicious NPM/pip installs locally

Y	Hacker News new \| ask \| show \| jobs

Show HN: Computer Police – block malicious NPM/pip installs locally (computer.police.dev)

1 points by kannthu 27 days ago

A couple of months ago, our team got hit by the first version of Shai-Hulud through a random `npm install`. We didn't catch it until it was too late.

I built Computer Police for our team to never be in this situation again.

It's designed to block that earlier. It runs a local registry proxy between your package manager and npm/PyPI, and stops confirmed-malicious packages before they touch disk.

It's deliberately narrow: malware only, no CVE scanning, no heuristics, no telemetry, no root, and removable with one command. Works locally, in CI, and in agent sandboxes.

https://computer.police.dev/

1 comments

hootz 27 days ago

Interesting. How long does it usually take for an attack to be identified and catalogued at OSV? Should this be used together with minimum release date?

link

kannthu 27 days ago

I don't have the exact number for you, but what I observed was that it took a couple of hours for npm to remove some of the packages this week, even though an advisory was published

+ To be clear, this tool does not solve the problem if you are one of the first people to get infected; it minimizes your chance if you are the N-th person

link