You know that mini heart attack you get when a popular npm package is compromised with malware, and you have absolutely no idea if it's lurking somewhere on your machine? I built pzx because I was getting really paranoid about those exact supply chain attacks in the JS ecosystem. I wanted something that actually tests what packages do, not just what their version numbers are. It’s a zero-dependency CLI running on Bun that scans your installed packages and throws suspicious ones into a local sandbox to intercept sneaky network or file system requests. To be completely honest, most if not all of this was built by AI -_-, but it evolved from an experiment into a genuinely useful security tool.
Replies