depx
Malicious package & supply-chain intelligence
Features •
Installation •
Usage •
Running depx •
JSON •
Join Discord
depx is a fast, passive supply-chain intelligence CLI. It tells you whether a package is known malicious (hijacked publishes, credential stealers, install-script backdoors) by matching against OpenSSF Malicious Packages data (MAL-*, OSV format) and a live intelligence feed curated from X (Grok API), refreshed hourly.
It answers four questions in seconds:
- What got compromised recently? The live feed of newly disclosed malicious packages.
- Is this specific package safe to install? Check any package before you add it.
- Have I already installed anything malicious on my system? Audit local lockfiles and SBOMs.
- Do my GitHub organization's projects ship any malicious packages? Scan whole orgs and repos.
Features
- Intelligence dashboard: default view with activity, ecosystems, impacted namespaces, and disclosure age.
- Compromised package feed: time-ordered cards via
depx feed (or --list for one line per result).
- Local dependency audit: scan lockfiles & SBOMs against a compiled local index.
- GitHub org & repo audit: pull dependency-graph SBOM exports and audit at scale.
- CI-ready: stable exit codes,
--require-clean gate, SARIF export, and a versioned JSON envelope.
- Instant package verdicts: check any
ecosystem:name ref, bare name, or piped list.
- False-positive control:
--exclude-pkg file to suppress known-good packages from audit findings.
- Fast & passive: local cache, background sync; read-only, never touches your apps.
Installation
curl -sfL https://raw.githubusercontent.com/projectdiscovery/depx/main/scripts/install.sh | sh
Downloads the latest release for your OS/arch (or builds with go install as fallback). The script verifies the binary and updates your shell PATH when needed.
From source (requires Go 1.25+):
git clone https://github.com/projectdiscovery/depx.git
cd depx
make build
./bin/depx --help
Or install with Go directly:
go install github.com/projectdiscovery/depx/cmd/depx@latest
Prebuilt binaries are also on the GitHub releases page.
Usage
depx --help
Core commands and flags:
Usage:
depx [flags]
depx [command]
Available Commands:
feed Show recently disclosed malicious packages (cards)
audit Audit dependencies for malicious packages (default: $HOME)
github Audit GitHub repositories via dependency-graph SBOM
search Search known malicious packages by name (local index)
id Lookup advisory by ID
version Show version and check for updates
update Update depx to the latest version
Global flags:
-j, --json Machine-readable JSON output
-V, --version Show version and exit
-e, --ecosystem string Restrict lookup to one ecosystem (npm, PyPI, Go, ...)
-v, --verbose Extra audit/github detail
--silent Suppress banner and version info
--no-color Disable ANSI colors
--config string Config file path
--update Update depx to the latest version
--disable-update-check Disable the update check
Default command (intelligence dashboard):
--since string Feed time window (default "3d")
-n, --limit int Dashboard/feed entry cap on default command
depx feed:
--since string Feed time window (default "3d")
-n, --limit int Result limit
--list One header line per result
depx search:
-n, --limit int Max results shown (default 25)
--list One header line per result
depx audit / depx github:
--require-clean Exit 1 if any malicious package is found
--exclude-pkg string File of ecosystem:package lines to exclude from findings
-o, --output string Write export file(s) to this path or basename
--output-format string Comma-separated export formats: json, csv, txt (default: json)
--sarif-export string Write SARIF 2.1.0 report to this path
--sbom-export string Write audited dependency SBOM (audit only)
--sbom-format string SBOM format: cyclonedx (default) or spdx
depx github:
-n, --limit int Max repos for org/user targets (default 100 with token, 10 without)
depx id:
--raw Raw OSV record only
Running depx
1. Intelligence dashboard (default)
depx # dashboard for last 3 days
depx --since 7d # widen the time window
depx -e npm # npm-only dashboard
depx feed # card feed (no dashboard)
depx feed --list # one line per advisory
depx -j # JSON for dashboards / pipelines
2. Audit your dependencies
Scans lockfiles and SBOMs against a local malicious-package index, instant after the first run. With no path, depx sweeps $HOME for projects and global installs.
depx audit # sweep $HOME for projects + global installs
depx audit ./my-app # a single project tree
depx audit ./bom.cdx.json # a CycloneDX / SPDX file
Supports npm, PyPI, Go, Cargo, RubyGems, Maven/Gradle lockfiles plus CycloneDX / SPDX SBOMs.
Suppress false positives. When a package is flagged that you've verified is safe, pass --exclude-pkg (on audit or github) a file of newline-separated ecosystem:package entries to drop from findings:
depx audit ./my-app --exclude-pkg .depxignore
depx github google --exclude-pkg .depxignore
# .depxignore: packages to exclude from findings
npm:internal-tool
PyPI:requests
*:shared-lib # '*' matches any ecosystem
3. Audit GitHub repos & orgs
Uses GitHub's dependency-graph SBOM exports. Set GITHUB_TOKEN for private repos and org discovery.
depx github projectdiscovery/depx
depx github google
depx github
Unauthenticated GitHub access is rate-limited to ~60 requests/hour, so without a token org/user scans default to 10 repos (vs 100 with a token). Set GITHUB_TOKEN, GH_TOKEN, or DEPX_GITHUB_TOKEN (or raise it explicitly with -n) to scan more.
4. Check a single package or advisory
depx npm:lodash
depx id MAL-2026-4343
depx search redhat
5. Gate it in CI
--require-clean exits non-zero the moment a malicious package is found.
depx audit . --require-clean # fail the build if anything is malicious
depx github google --require-clean -j
| Exit code |
Meaning |
0 |
Clean / success |
1 |
--require-clean and malicious packages found |
2 |
Usage error |
3 |
Upstream unavailable |
JSON output
Every -j response uses a stable, versioned envelope so it's safe to build on.
{
"schema_version": "1",
"command": "check",
"depx_version": "v0.1.0",
"data": {
"total": 1,
"results": [
{
"ref": "npm:evil-pkg",
"purl": "pkg:npm/evil-pkg",
"verdict": "malicious",
"confidence": "high",
"ids": ["MAL-2026-4343"],
"package_ecosystem": "npm",
"package_name": "evil-pkg",
"registry_url": "https://www.npmjs.com/package/evil-pkg",
"advisories": [
{
"id": "MAL-2026-4343",
"url": "https://github.com/ossf/malicious-packages/blob/main/osv/npm/MAL-2026-4343.json",
"summary": "Malicious code in evil-pkg (npm)",
"modified_at": "2026-06-01T12:00:00Z",
"published_at": "2026-06-01T10:00:00Z"
}
]
}
]
}
}
A clean package returns "verdict": "clean". Bare-name checks may include checked_ecosystems, matched_ecosystems, and found_ecosystems when searching all ecosystems.
Schemas live in schema/v1/.
License
depx is distributed under the MIT License.
Join our Discord • built with ❤️ by the ProjectDiscovery team