The world's first install-time supply-chain firewall, built on peer-reviewed research at Cork (CIT → MTU). One decision brain intercepts every install across npm, PyPI, Maven, Go and NuGet, on laptops, CI/CD and Kubernetes, answering in milliseconds: is this safe to ship?
The four-signal detection brain and the XYZ risk score weren’t dreamed up in a sprint planning. The methodology was developed and formally defended as a master’s thesis at the Cork Institute of Technology (now Munster Technological University), then refined into the production engine you see today. Our competitors started from a product spec. We started from a literature review.
Engaged with enterprise security, payments and research teams across three continents, and integrated with the ecosystem your stack already runs on.
// trusted by
// built with
Real campaigns, blocked at install before any CVE existed. Here is the proxy log, the moment each one hit the wire, and the full dissection of each.
0 packages scanned this week
flatmap-stream@0.1.1BLOCKEDgha/CyberXYZ CI/CD Linux172.184.213.226CRITICALaxios@1.14.1BLOCKEDMike’s MacBook DEV macOS169.254.169.126CRITICALleft-pad@1.3.1BLOCKEDgitlab/cyber CI/CD Linux34.139.136.251CRITICAL
go-weather-sdk@v0.4.0BLOCKEDgitlab/cyber CI/CD Linux34.139.136.251CRITICAL
AeroWizard.Net@2.3.1BLOCKEDgitlab/cyber CI/CD Linux34.139.136.251CRITICAL
durabletask@1.4.1QUARANTINEgitlab/cyber CI/CD Linux34.139.136.251MEDIUMfig. 02 · proxy findings (live capture from app.cyberxyz.io)
A compromised maintainer shipped two malicious axios tags that pulled in a North Korean RAT dropper. Blocked at install, three weeks before the CVE existed.
One stolen npm token poisoned 323 packages across the AntV namespace in 27 minutes, with a credential harvester wired to run before any user script. Every version blocked on its lifecycle hook.
npm v12 makes you approve every install script by hand. Paste a package and see the XYZ verdict, the signals that fired, and whether its scripts are actually safe to approve.
Most supply-chain tools rate a package on project-health signals. CyberXYZ does that and reads the actual change, line by line, commit by commit, so a malicious hook is caught the moment it lands. This is where we catch the zero-day: at the commit and the pull request, before it ever reaches an install, no CVE required.
fig. · commit-level verdict · caught at the pull request, before any install
Wherever a package is requested, a developer's laptop, a CI runner, a Kubernetes node, CyberXYZ is already there with the same verdict. Here's how it shows up across your stack.
ONLINE
ONLINE
ONLINE
ONLINE
A registry proxy intercepts each install, scans the tarball and reads the commit, then returns allow, alert, quarantine or block in milliseconds, across laptops, CI/CD and Kubernetes.
Explore the Platform →
One pip install puts the brain in your terminal. Enroll a machine, gate every install through the proxy, and audit any project, across all five ecosystems.
xyz proxy setup · gate every installxyz audit · scan any lockfilexyz depalert · fail the CI buildJobs from any source flow through the XYZ gate. Clean builds pass; malicious ones fail, before they ever merge.
"dependencies": {
"axios": "1.14.1" ⛔ blocked,
"express": "4.18.2" ⚠ 2 high CVE,
"lodash": "4.17.21" ✓ clean
}The extension underlines risky dependencies on every save, and a hover reveals the full XYZ risk profile, CVEs, exploit status, downloads, dependents and any campaign link.
Explore the extension →They score a CVE the moment one is filed. They don't see the package the day it gets compromised. They don't see typosquats, install-script malware, or maintainer takeovers. Most of the npm and PyPI supply-chain attacks of the last four years never received a CVE on the day they shipped, and the ones that did got it days or weeks late.
CVSS scores the technical impact of a single CVE in isolation. A CVSS 9.8
in a library you don't ship is noise. A CVSS 6.1 in axios, used
by half of npm, is an emergency. The score can't tell the difference.
EPSS estimates the probability a published CVE will be exploited in the next 30 days. It's a useful signal for triaging known vulns, but it has no opinion on the entire malware-on-the-registry problem, because that universe has no CVEs to begin with.
Of the most damaging npm supply-chain compromises of the last four years
(axios, event-stream, ua-parser-js,
coa, rc, colors, faker,
node-ipc, eslint-scope), none had a
meaningful CVSS or EPSS score on day zero. CyberXYZ catches them on signal,
not on paperwork.
Every install request runs all six detection signals in parallel against two databases (1.3M vulnerabilities, 72K npm packages with behavioral baselines). We aggregate the strongest signal into one of four decisions. See the full methodology →
SCA tools find known vulnerabilities after they're already in your tree. CyberXYZ blocks malicious installs before they land. Different jobs on the same supply chain, run them together.
the world's first install-time firewallWe add the prevention layer your scanners can't, run CyberXYZ alongside what you already own.
Real-time monitoring and threat detection for npm, PyPI, Maven, NuGet, Go, Cargo, RubyGems, Composer, and more.
npmPyPI
MavenNuGetGo
Cargo
RubyGems
ComposerJavaScriptGHSAnpmPyPIMavenNuGetGoCargoRubyGemsComposerJavaScriptGHSANative connectors for SIEMs, CI/CD, IDEs, and orchestration platforms. Every alert, every verdict, every IOC, delivered where your team already works.
IBM QRadar
SplunkSentinelOne
CrowdStrikeElastic SIEMGitHub
GitHub ActionsGitLab CIAzure DevOps
Jenkins
Docker
Kubernetes
VS Code
Syslog / CEF
WebhooksJFrogIBM QRadarSplunkSentinelOneCrowdStrikeElastic SIEMGitHubGitHub ActionsGitLab CIAzure DevOpsJenkinsDockerKubernetesVS CodeSyslog / CEFWebhooksJFrog
I really liked the product, and that you’re ahead of the market: commit and PR-level review that catches zero-days before a CVE. We invited the team to present to our incident response and offensive security groups.
Get a 15-minute walkthrough of the brain, the proxy, and the live attack feed. We'll plug it into your CI in under an hour.
Check your inbox. We'll reach out within 24 hours.