Catches novel malware, not just known CVEs.
Traditional scanners check after install or only match known-CVE lists, which misses novel malware entirely. Upwarden analyzes every version at resolution time — fusing advisory feeds, a code-similarity scanner, and your own scanners into one verdict, and failing closed when it isn't sure.
The attack lands at resolution time
Trusted packages are compromised every few weeks — via maintainer phishing, account takeover, and malicious releases. The damage is done the moment a package manager resolves a poisoned version, long before any human reviews it.
Malicious new versions
A maintainer is compromised and ships a poisoned release of a package you already trust and depend on.
Compromised maintainers
Phishing and account takeovers turn legitimate accounts into delivery vehicles for malware at install time.
Known-vulnerable releases
Published CVEs keep flowing into builds because nothing stands between the resolver and the registry.
Every version is in one of three states
Verdicts resolve through a layered cache — hot cache, durable store, advisory range-match, then default-safe for established versions — so most requests are answered instantly.
Served
Included in manifests; artifacts are served normally. The only added latency is a single proxy hop.
Stripped
Known malicious or vulnerable. Removed from manifests entirely; direct artifact requests are refused with a clear, actionable message.
Held & scanned
Newly seen, awaiting analysis. Stripped from manifests (silent rollback) while the scanner runs — then promoted to SAFE or BLOCKED.
How a quarantined version is judged
Extract
Pull the artifact (tarball / wheel / crate) and its source files.
Chunk
Split code into function- and class-level units via AST parsing.
Embed
Encode each chunk with a code-embedding model.
Search
Hybrid retrieval over a malware corpus — dense vector similarity fused with keyword scoring (RRF).
Verdict
If the closest match exceeds the similarity threshold, block; otherwise mark safe.
Fail closed. On a cache miss the request is briefly held while the scan runs. If no verdict is reached in time, the request fails closed rather than letting an unscanned artifact through — an unanalyzed package never slips past. Scans are eagerly enqueued at manifest-fetch time, so most requests hit a warm verdict.
Evaluated, not asserted
Measured on the evaluation set at the default similarity threshold.
Three layers, fused into one verdict
Advisory feeds
OSV.dev, the GitHub Advisory Database and RustSec — known malware and CVEs, range-matched and stripped before the client sees the manifest.
Vector / AST similarity
Extracts, chunks and embeds source, then runs hybrid search (pgvector HNSW cosine + keyword, fused via RRF) against a malware corpus — catching novel malware by structural resemblance.
Bring your own scanner
A JWT-signed callback API lets external or commercial scanners submit verdicts — so detection is extensible, not a closed box.
Scope, honestly. Upwarden's detection centers on advisory matching and code-similarity scanning, plus typosquat detection (Team+) via per-tenant edit-distance thresholds. Dedicated dependency-confusion (internal-namespace shadowing) detection is available — you register your organisation's private namespaces and Upwarden blocks public packages that shadow them. Confirm coverage for a specific threat model with us rather than assuming it.
Every decision is on the record
Every manifest served, tarball downloaded, and block / quarantine / rewrite decision is recorded with client identity and reason — the source of truth for incident response and compliance.
Enterprise & compliance- Explainable blocks. Each decision carries its reason; blocked versions are annotated in search results.
- Tied to identity. Decisions are attributed to client and tenant — a complete trail administrators can replay.
- No telemetry. The trail stays inside your perimeter. Nothing about your dependencies leaves your network.
- Token-safe. Existing credentials pass through to the upstream registry unchanged — Upwarden never mints, stores or rotates them.
We check the client, not just the package
Endpoint scanners tell you what was installed. Because Upwarden sits in the path, it sees what's trying to install — and can judge the client itself: is it outdated and CVE-exposed, masquerading as something it isn't, or anomalous for your organisation? A class of signal only a proxy that every install crosses can see.
Outdated-client detection
Every install client is cross-referenced against CVE feeds. A stale npm, pip or cargo is a stale CVE exposure — Upwarden flags or blocks clients below the version your policy allows, before they pull a single package.
Masquerading clients
A client that claims to be one tool while behaving like another is a known attacker move. Upwarden catches the mismatch at the point of connection — and it holds across IP rotation and renamed repositories.
Baseline & drift
Upwarden learns your organisation's normal client population and alerts on drift — a sudden shift to raw, unmanaged pulls is visible immediately. A baseline only a multi-tenant proxy can hold.
Honest about limits. Install-client posture raises the cost of attack substantially — it is not a guarantee, and we won't sell it as one. Paired with the audit log and SBOM export, it gives operators a single pane: what was pulled, by which client and developer, on what CVE-affected version.
What's available vs on the roadmap
An honest, current map of the governance and security controls. available ships today; roadmap is in active development. We list what's built — not what's aspirational.
| Control | Status |
|---|---|
| Single sign-on — SAML + OIDC (org self-serve) | available |
| IP allowlisting (CIDR) | available |
| Org-wide MFA enforcement | available |
| Step-up re-auth — password factor today; server-side enforcement on sensitive ops rolling out | available |
| Role-based access — capability-level, with per-tenant overrides | available |
| Session management — list & revoke active sessions | available |
| Org API-key management | available |
| Audit export — CSV / JSON / NDJSON / OCSF | available |
| Audit streaming to SIEM — webhooks & stream targets (gzipped JSONL) | available |
| Owner self-service org erasure — all tiers | available |
| Signed Sigstore attestations + enforced provenance verification | available |
| SBOM generation — CycloneDX 1.5 + SPDX 2.3 | available |
| Bring-your-own-scanner (JWT-signed callback) | available |
| Detection breadth — 7/7 content-scan ecosystems + Maven bytecode | available |
| Self-hosted in your own perimeter — zero telemetry | available |
| EU-hosted cloud — Frankfurt (europe-west3) | available |
| SIEM streaming — self-serve config UI & CEF/OCSF stream formats | roadmap |
| SBOM scheduled exports & archive | roadmap |
| Per-region data residency (choose where your data sits) | roadmap |
| Air-gapped operation + one-way global threat-intel feed | roadmap |
Built to deploy into sovereign, regulated and air-gapped environments. We publish what's shipped and what's planned — and deliberately don't list controls we don't yet provide. Tell us your specific compliance requirements in a demo and we'll be precise about what's available today.
Put a firewall in front of every install
Self-serve in a minute, or talk to us about your threat model.