A blazingly fast, locally-executing desktop agent that scans your machine for malicious packages and zero-day vulnerabilities in milliseconds.
Modern supply chain attacks are fundamentally different. Your tools need to be too.
Built on open standards. Executed locally. Zero compromise.
Powered by the open-source Bumblebee Go binary wrapped in a hyper-optimized Rust/Tauri desktop shell. Native performance, sub-500ms cold starts, zero overhead.
Analyzes package metadata, publication age, maintainer history, and behavioral signals. Assigns High/Medium/Low confidence scores so you know which suspicious packages to act on first.
Fetches a daily-updated catalog.json compiled from Google OSV. Every known CVE and malware signature matched locally—guaranteed coverage with no latency from cloud round-trips.
Scans run entirely on your filesystem. No code, no dependency manifests, no telemetry ever leaves your machine. Your IP, your supply chain data, stays yours.
8+ package managers. One agent. Fully offline.
No credit card. No account. Just download and scan.
Full-featured local desktop agent. No cloud, no account, no catches.
For engineering orgs requiring fleet visibility, CI/CD pipeline enforcement, and compliance reporting.
We are actively expanding core platform support. These features will be available in the free Developer Edition very soon.
Full support for Intel and Apple Silicon (M1/M2/M3) chips. Packaged as a signed, native .dmg application.
Support for major distributions including Ubuntu, Debian, and Fedora. Distributed via .deb and .AppImage.
Run pkgwatch silently in the background. It will actively monitor your node_modules and site-packages and alert you if a malicious dependency is pulled down.