vet
crxviewer
| vet | crxviewer | |
|---|---|---|
| 17 | 24 | |
| 523 | 1,562 | |
| 25.6% | 0.8% | |
| 9.3 | 2.0 | |
| 4 days ago | 7 months ago | |
| Go | JavaScript | |
| Apache License 2.0 | Mozilla Public License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
vet
-
Ask HN: What Are You Working On? (June 2025)
I am working on a next-gen software composition analysis tool that can identify malicious open source packages through code analysis. Adopts a policy as code (CEL) approach to build security guardrails against risky OSS components using opinionated policies.
GitHub: https://github.com/safedep/vet
- Vet MCP: Software Composition Analysis for AI Code Editors
-
Malicious npm Package Impersonating Popular Express Cookie Parser
Our free and open source tool vet is integrated with the SafeDep Cloud Package Scanning Service and can be used to detect malicious packages before they are installed. vet-action is a GitHub Action that can be used to establish proactive guardrails against malicious open source packages in your GitHub Actions workflows.
-
How to Effectively Vet Your Supply Chain for Optimal Performance
Explore about SafeDep on GitHub - https://github.com/safedep/vet
-
Ask HN: How are you acquiring first 100 users?
Not sure if it’s relevant because you specifically mentioned about B2C.
For cyber security product, we took the open source route. We build our core technology in public as open source project.
https://github.com/safedep/vet
The commercial SaaS is for scaling and management. Our entire funnel is based on OSS. Folks who have already found value and is looking to scale their deployment.
This model works for us especially at our current stage where we are 100% engineering led.
-
Show HN: MCP-Shield – Detects security issues in MCP servers
May be try out vet as well: https://github.com/safedep/vet
vet is backed by a code analysis engine that performs malicious package (npm, pypi etc.) scanning. We recently extended it to support GitHub repository scanning as well.
It found the malicious behaviour in mcp-servers-example/bad-mcp-server.js
-
Agentic Analysis of Open Source Package Code for Malware
➡️ https://github.com/safedep/vet
-
Scanning Open Source Packages for Malicious Code 🚨
Malicious code in open sources is real and people get hacked due to it as we have seen with changed-files incident, ultralytics hack and multiple such incidents. vet now supports identification of malicious OSS packages through active code analysis.
- Show HN: Scan GitHub Actions for Malicious Code
-
Popular GitHub Action tj-actions/changed-files is compromised
I think the conventional approach of checking for vulnerabilities in 3rd party dependencies by querying CVE or some other database has set the current behaviour i.e. if its not vulnerable it must be safe. This implicit trust on vulnerability databases has been exploited in the wild to push malicious code to downstream users.
I think we will see security tools shifting towards "code" as the source of truth when making safety and security decision about 3rd party packages instead of relying only on known vulnerability databases.
Take a look at vet, we are working on active code analysis of OSS packages (+ transitive dependencies) to look for malicious code: https://github.com/safedep/vet
crxviewer
-
Popular GitHub Action tj-actions/changed-files is compromised
This is why I fork the extensions I use, with the exception of uBlock. Basically just copy the extension folder, if I can't find it on GitHub. That way I can audit the code and not have to worry about an auto-update sneaking in something nefarious. I've had two extensions in the past suddenly start asking for permissions they definitely did not need, and I suspect this is why.
Btw, here's a site where you can inspect an extension's source code before you install it: https://robwu.nl/crxviewer/
- TabBoo – add random jumpscares to websites you're trying to avoid
- The Karma Connection in Chrome Web Store
-
Show HN: YouTube's killing adblockers, so we made an undetectable one
For those who want to review the source: https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fchrome.google....
tldr; it just clicks the "skip ad" button if one appears in the first 5 seconds
- Show HN: I made a Chrome extension to put headlines back into Twitter
-
clean up utm= parameters
You can extract the extension files using something like https://robwu.nl/crxviewer/ and run it from a local folder
- where is the source code on the addons page
-
I have 49 add-ons enabled, how can I switch between a different configuration of addons as needed ? (other than running a private window)
30. Extension source viewer 1.6.12 (Disabled) View source code of Firefox addons and Chrome extensions (crx/nex/xpi) from addons.mozilla.org, the Chrome Webstore and elsewhere. https://github.com/Rob--W/crxviewer
-
Requires permission for 2 other sites, please tell me which !
I understand this box is too small to show all the permissions, but either make it scrollable, or give me a button to open said add-on in https://robwu.nl/crxviewer/ maybe ?
- This permission request window, should list all websites impacted, not just say "200 more"
What are some alternatives?
solarsploit - Red team tool that emulates the SolarWinds CI compromise attack vector.
clear-browsing-data - Browser extension for clearing browsing data, available for Chrome, Edge and Firefox
cnspec - An open source, cloud-native security to protect everything from build to runtime
publishers - Publisher interface for Brave Payments
scorecard - OpenSSF Scorecard - Security health metrics for Open Source
tampermonkey - Tampermonkey is the most popular userscript manager, with over 10 million users. It's available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.