Introducing Package Manager Guard (PMG)

Let’s say you are building an Express.js application. You need a cookie parser middleware. But instead of installing the original cookie-parser package, you install express-cookie-parser which is a malicious package, although removed from the npm registry. We developers want to get the job done while in the flow state. We hate going outside our terminals and IDEs to check if a package we are installing is malicious or not. This behavior is exploited by malicious actors to compromise developers through typosquatting and other supply chain attacks. To protect the software supply chain, we need to protect developers from malicious packages at the time of installation. This is where Package Manager Guard (PMG) comes in.

What is PMG?

PMG is a tool to protect developers from malicious packages at the time of installation. It is a CLI tool that wraps popular package managers like npm, pnpm, etc. It prevents installation of malicious packages by scanning the package at the time of installation.

How do I use PMG?

The easiest way to install PMG is using homebrew. For other installation options, please refer to the PMG GitHub repository.

1
brew install safedep/tap/pmg

In your NPM project, you can now install any package using pmg as a security guard.

1
pmg npm install react

The goal of PMG is to be as hidden and out of the way as possible while protecting developers from installing malicious packages. For a seamless experience, add PMG as an alias for your package manager.

1
alias npm="pmg npm"
2
alias pnpm="pmg pnpm"

That’s it! PMG will now protect you from installing malicious packages.

Demo

Bugs and Feedback

If you find any bugs or have any feedback, please file an issue on the PMG GitHub repository. You can also join SafeDep Community Discord to discuss PMG and other SafeDep products.