Block malicious npm and pip packages before they install.
Defense in depth for the package managers you already use.
Developers and AI coding agents install packages every day. Each npm install or pip install executes thousands of lines of code that nobody reviews.
Recent compromises in popular ecosystems:
- Mini Shai-Hulud - 300+ popular packages compromised
- litellm 1.82.8 - a popular AI proxy library compromised to exfiltrate credentials
- telnyx 4.87.2 - a legitimate telecom SDK hijacked on PyPI
- pino-sdk-v2 - a typosquat package disguised as the popular pino logger
PMG is free, open source (Apache 2.0), and requires no account or API key. It intercepts every package install and checks it against SafeDep's free community API for known malware before code executes. Install it once, and it covers every npm install, pip install, and poetry add after that.
PMG takes a defense in depth approach. Zero config, works across Zsh, Bash, and Fish, and each install passes through the enabled protection layers before code runs, plus an audit trail after.
Layer details
- Transparent Interception - PMG wraps
npm,pip, and other package managers. Developers and AI agents use the same commands. No workflow changes. - Layer 1: Threat Intelligence - PMG checks every package against SafeDep's real-time threat intelligence before install. Known-malicious packages are blocked. No key, no login required.
- Layer 2: Policy (Dependency Cooldown) - PMG blocks package versions published inside a configurable cooldown window, so recently compromised versions are skipped during the window.
- Layer 3: Opt-in Sandbox - When sandboxing is enabled and configured, PMG runs installs inside OS-native sandboxes (macOS Seatbelt, Linux Landlock by default, or Bubblewrap fallback) so install scripts have restricted system access even if a threat slips past the first two layers.
- Audit Logging - PMG logs every install (what, when, from where) for a verifiable audit trail.
PMG is the only free, open-source, install-time package firewall that covers developers and AI agents alike and ships with sandboxing and cooldown out of the box.
| Capability | PMG | Socket | Snyk | Dependabot |
|---|---|---|---|---|
| OSS / built in public | ✓ | ✗ | ✗ | ✗ |
| No account or API key | ✓ | ✓ | ✗ | ✗ |
| Install-time malicious package blocking | ✓ | ✓ | ✗ | ✗ |
| Dependency cooldown policy | ✓ | ✗ | ✗ | ✗ |
| Runtime sandboxing | ✓ | ✗ | ✗ | ✗ |
| Protects AI coding agents transparently | ✓ | ✗ | ✗ | ✗ |
| Local audit logs | ✓ | ✗ | ✗ | ✗ |
| Known-CVE remediation PRs | ✗ | ✗ | ✓ | ✓ |
curl -fsSL https://raw.githubusercontent.com/safedep/pmg/main/install.sh | shSee Installation for Homebrew, npm, and other install methods.
Wire PMG into your shell so it intercepts package managers.
pmg setup install
# Restart your terminal to apply changesTip: Re-run
pmg setup installafter upgrading PMG to pick up new configuration options.
Validate your installation and verify protection is working:
pmg setup doctorSee PMG blocking threats.
npm install --no-cache --prefer-online safedep-test-pkg@0.1.3Note:
safedep-test-pkgis a benign test package flagged as malicious in SafeDep's database for testing and verification purposes.
Continue using your package managers as usual, or let your AI coding agent run them. PMG sits in the path, blocking malicious packages.
npm install express
# or
pip install requestsPMG supports the tools you already use:
| Ecosystem | Tools | Command Example |
|---|---|---|
| Node.js | npm |
npm install <pkg> |
pnpm |
pnpm add <pkg> |
|
yarn |
yarn add <pkg> |
|
bun |
bun add <pkg> |
|
npx |
npx <pkg> |
|
pnpx |
pnpx <pkg> |
|
| Python | pip |
pip install <pkg> |
poetry |
poetry add <pkg> |
|
uv |
uv add <pkg> |
Install Script (MacOS/Linux)
Downloads the latest release from GitHub, verifies its SHA-256 checksum, and installs to $HOME/.local/bin (if on PATH) or /usr/local/bin.
curl -fsSL https://raw.githubusercontent.com/safedep/pmg/main/install.sh | shHomebrew (MacOS/Linux)
brew tap safedep/tap
brew install safedep/tap/pmgNPM (Cross-Platform)
npm install -g @safedep/pmgNote: NPM-based installs can be fragile when Node.js is managed by version managers like
miseorasdf. The globalnpmbin path changes with the active Node version, so switching versions can leavepmgunavailable onPATH(or pointing to an old install). For these setups, prefer the install script or Homebrew.
Go (Build from Source)
# Ensure $(go env GOPATH)/bin is in your $PATH
go install github.com/safedep/pmg@latestBinary Download
Download the latest binary for your platform from the Releases Page.
Protect CI workflows with one step. PMG analyzes every npm install,
pip install, etc. in the job.
# Consider pinning third-party Actions to a full commit SHA
- uses: actions/setup-node@v6
with:
node-version: 24
- uses: safedep/pmg@v1
- run: npm ciBy default you get malware blocking and dependency cooldown. Sandbox isolation
is opt-in via the sandbox input. Tune behavior via inputs (paranoid,
sandbox, cooldown-days, ...) or point
config-file at a YAML in the repo. See
docs/github-action.md for the full reference.
Remove shell integration:
pmg setup removeTo also remove the PMG configuration file:
pmg setup remove --config-fileThen uninstall PMG itself:
# Homebrew
brew uninstall safedep/tap/pmg
# NPM
npm uninstall -g @safedep/pmgPMG builds are reproducible and signed.
- Attestations: GitHub and npm attestations guarantee artifact integrity.
- Verification: You can cryptographically prove the binary matches the source code.
- See Trusting PMG for verification steps.
If PMG saved you from a bad package, star this repo. It helps others find it.
Contributions welcome. See CONTRIBUTING.md for build and test instructions.
Thank you to all contributors ❤️
PMG collects anonymous usage data. To disable, either:
- Set
disable_telemetry: truein your PMG config file, or - Export
PMG_DISABLE_TELEMETRY=true.
