Attackers create throwaway accounts (like kekylf12, tikeqemif26) and publish dozens of malicious packages rapidly; no easy way to assess publisher trustworthiness
API and browser extension that scores publisher accounts based on age, publishing velocity, naming patterns, code similarity to known malware, and cross-references with threat intel feeds
API subscription - free tier (100 lookups/month), pro ($99/month for CI integration), enterprise (custom pricing for registry-level integration)
The pain is real and acute when it hits — malicious packages can compromise entire CI/CD pipelines and production systems. The Reddit thread with 190 upvotes about active malicious publishing campaigns shows genuine developer frustration. However, most developers never personally encounter a supply chain attack, so the pain is concentrated among security teams and large organizations. Pain is episodic (spikes after incidents) rather than constant daily friction. Security teams at mid-to-large companies feel this most; solo devs and small teams rarely think about it proactively.
The broader supply chain security market is huge ($2-3B+), but a pure publisher reputation API is a narrow niche within it. Realistic TAM: ~10,000-50,000 companies actively running SCA tools that would consume an additional API signal at $500-5,000/year = $5M-$250M addressable market. The high end requires registry-level integration deals (npm, PyPI themselves), which are extremely hard to land. Most of the big market dollars flow to full-platform solutions, not point APIs. You are selling a feature, not a platform — that caps your ceiling unless you expand scope.
Security teams at enterprises absolutely pay for supply chain security — Snyk, Socket, and Phylum prove this. But they pay for platforms, not individual API signals. $99/month for CI integration is reasonable but competes against free alternatives (Trusty, OpenSSF Scorecard, npm audit). Enterprise deals ($5K-50K/year) are possible but require sales effort and SOC2/compliance. The free tier creates awareness but conversion to paid is uncertain. Key risk: the big SCA platforms could add publisher scoring as a checkbox feature, eliminating the willingness to pay for a standalone product.
A solo dev can absolutely build an MVP in 4-8 weeks. The core data is publicly available: npm/PyPI registry APIs expose account creation dates, package lists, publishing timestamps, and package metadata. Building a scoring model on top (account age, publishing velocity, naming pattern analysis, code similarity hashing) is well within reach with Python/Node. A browser extension is a known quantity. The harder technical challenges (real-time scanning of all new packages, maintaining threat intel feeds, code similarity to known malware) can wait for post-MVP. Start with batch lookups on demand, not real-time scanning.
There IS a genuine gap — nobody sells a dedicated, API-first publisher reputation score as a commercial product. Trusty is closest but is free, basic, and part of a broader play. Phylum bundles author risk but doesn't sell it standalone. However, the gap exists partly because incumbent platforms could easily add this as a feature. Socket already scans all new packages — adding publisher scoring is a natural extension. The xz Utils attack narrative is compelling but cuts both ways: it shows the need but also that sophisticated attackers game reputation over years, making scoring extremely hard. Your moat is thin: the data is public, the signals are known, and well-funded competitors are a product decision away from your territory.
Strong recurring potential. Security scanning is inherently continuous — you need fresh scores as new packages are published daily. CI/CD integration means automatic lookups on every build. Threat landscape constantly evolves, requiring updated models. Enterprise security budgets are annual/recurring by nature. The 100-lookup free tier creates natural upgrade pressure as teams grow. API consumption naturally scales with customer growth (more repos = more lookups). This is a textbook subscription/usage-based business.
- +Genuine market gap — no dedicated commercial API for publisher reputation scoring exists today
- +Strong narrative tailwind — every supply chain attack (xz Utils, tj-actions) validates the need and creates sales moments
- +Technically feasible MVP in 4-8 weeks using publicly available registry data
- +Natural API-first business model with clear free-to-paid upgrade path
- +Could become infrastructure that existing SCA platforms consume, turning competitors into customers
- +Regulatory tailwinds (EO 14028, EU CRA) push enterprises toward more supply chain security tooling
- !Feature, not platform risk — Socket, Phylum, or Snyk could add publisher scoring as a checkbox feature within one quarter, instantly commoditizing your entire product
- !Thin moat — data is public, signals are well-known, no proprietary data advantage without significant investment in threat intel
- !Sophisticated attackers (like xz Utils) game reputation over years, making scoring fundamentally hard — your API would catch script kiddies but miss the most dangerous threats
- !Free alternatives (Trusty, OpenSSF Scorecard) set price expectations low; converting free users to $99/month requires demonstrable superiority
- !Enterprise sales cycles are long (3-6 months) and require SOC2 compliance, which conflicts with solo-dev speed
- !Registries themselves (npm, PyPI) may build native reputation systems, killing the market entirely
Proactive supply chain attack detection via deep package inspection — analyzes what packages actually do
Automated supply chain security with a five-factor risk model: author risk, engineering risk, vulnerability risk, malicious code risk, and license risk. Performs static + dynamic package analysis pre-install.
Package trust scoring tool that explicitly includes publisher/maintainer reputation signals — provenance data, activity patterns, contributor reputation, Sigstore signing status. Built by Kubernetes co-creator Craig McLuckie.
Broad application security platform covering SCA, SAST, container scanning, and IaC. Scans dependencies against the Snyk Vulnerability Database for known CVEs. Auto-generates fix PRs.
OpenSSF Scorecard runs ~20 automated checks on project security hygiene
API endpoint that takes a package name or publisher username and returns a 0-100 trust score with breakdown: account age score, publishing velocity score (packages/day anomaly), naming pattern score (entropy analysis, typosquatting detection), and a flag if the account matches known attack patterns. Ship with a simple Chrome extension that shows the score on npm/PyPI package pages. Data source: public registry APIs only. No real-time scanning — batch process new packages every few hours. Launch with npm only, add PyPI in week 2. Target: 500 free users in first month via Show HN + r/programming posts.
Free browser extension + 100 API lookups/month (awareness + adoption) → Pro at $99/month for CI/CD integration with GitHub Actions plugin + webhook alerts for new risky dependencies → Enterprise at $500-2,000/month for bulk API access, custom risk policies, and Slack/PagerDuty alerting → Platform play: sell wholesale publisher reputation data to SCA vendors (Socket, Snyk) as an enrichment feed at $25K-100K/year per integration partner
8-12 weeks to first dollar. Weeks 1-4: build MVP API + browser extension. Weeks 5-6: launch on HN, Reddit, dev communities. Weeks 7-8: iterate based on feedback, add CI integration. Weeks 9-12: first pro subscribers from security-conscious teams who hit the free tier limit. Enterprise revenue: 6-9 months out due to sales cycles and compliance requirements.
- “publisher account is actively pushing multiple malicious packages right now”
- “36 of them till now”
- “named to blend in with real plugins”