Developers blindly trust published packages match their open-source repos, but published artifacts can contain extra code, backdoors, or leaked proprietary source.
Automated service that pulls published packages, decompiles/unpacks them, diffs against the declared source repo, and alerts on discrepancies including unexpected source maps, extra files, or modified code.
Subscription - per-org pricing based on number of monitored dependencies
Supply chain attacks are a top-3 enterprise security fear. The xz-utils backdoor (2024) showed even sophisticated maintainer-level attacks happen. The Claude Code source map leak (the very signal that inspired this idea) shows accidental exposure is common. Every Fortune 500 CISO loses sleep over this. However, most orgs still treat this as a future problem — urgency is high but action is lagging.
TAM for supply chain security tooling is $2-4B by 2027. The specific niche of source-vs-artifact verification is a subset, but it sits at the intersection of SCA, compliance (SBOM/SLSA mandates), and zero-trust supply chain — all growing categories. Realistic SAM for a focused tool: $200-500M. Not every org needs this, but every org running open-source in production probably should have it.
Enterprise security teams already pay $25-100+/dev/month for Snyk, Socket, and Phylum. A tool that catches what those tools miss has clear upsell value. Compliance mandates (SBOM, SLSA, EU CRA) are creating forced-buy scenarios. However, this could also be seen as a feature of existing tools rather than a standalone product — willingness to pay for yet-another-security-tool is the risk. Positioning as complementary to existing SCA rather than replacement is key.
This is the hardest part. Diffing published artifacts against source repos is conceptually simple but practically brutal. Packages go through transpilation (TypeScript→JS), minification, bundling (webpack/rollup), tree-shaking, native compilation (Rust/C extensions), and build-time code generation. You need to handle: 1) Identifying the correct source repo and commit/tag, 2) Reproducing or approximating the build, 3) Normalizing diffs to ignore expected build transforms, 4) Handling packages with no declared source repo. A solo dev can build a working MVP for simple cases (pure JS/Python packages without heavy build steps) in 6-8 weeks, but the long tail of build configurations is a multi-year engineering challenge. False positive rate will be high initially.
This is the strongest signal. NO existing tool does published-artifact-vs-source-repo diffing. Socket, Snyk, Phylum, Sonatype — all analyze artifacts in isolation. Diffend diffs versions against each other but not against source. Google SLSA relies on producer-provided attestations (trust the build system) rather than independent verification. This is a genuine, unoccupied niche. The gap exists because the problem is technically hard, not because no one wants the solution.
Natural subscription model. Dependencies change constantly — new versions, new transitive deps, new packages added. Continuous monitoring is inherently recurring. Enterprise security is bought as annual contracts. Per-org or per-dependency pricing scales well. Once integrated into CI/CD, switching costs are meaningful.
- +Genuine competitive whitespace — no existing tool does source-vs-artifact diffing, despite billions spent on supply chain security
- +Regulatory tailwinds are strong (SBOM mandates, SLSA, EU CRA) creating forced-buy scenarios for provenance verification
- +High-profile incidents create recurring demand spikes and executive attention (xz-utils, SolarWinds, the very Reddit thread that inspired this)
- +Natural enterprise SaaS model with strong recurring revenue dynamics and high switching costs once embedded in CI/CD
- +Complementary to existing tools (Socket, Snyk) rather than competitive — can partner or be acquired rather than fight
- !Technical complexity is severely underestimated — handling build transforms, minification, transpilation, and native compilation makes accurate diffing extremely hard. False positive rate could kill adoption.
- !Incumbent absorption risk: Socket or Snyk could add source-vs-artifact diffing as a feature in 6-12 months once you prove the market. You need to build defensible depth fast.
- !Many packages have no declared source repo, use private repos, or have complex monorepo structures — coverage gaps will frustrate users.
- !Reproducible builds are an evolving ecosystem (SLSA, Sigstore) — if the industry moves toward mandatory build provenance attestations, the need for independent diffing decreases.
- !Enterprise sales cycles are 3-9 months. Burning runway while waiting for procurement to close is a real risk for a bootstrapped founder.
Deep package inspection analyzing package behavior — network access, filesystem access, shell execution, install scripts, obfuscated code, typosquatting. Monitors NPM, PyPI, Go. GitHub app flags risky deps in PRs.
Broad developer security platform covering SCA
Automated analysis of every new package version published across NPM, PyPI, RubyGems, NuGet. Sandboxes packages to detect malware, scores author risk, blocks risky packages in CI pipeline.
Component intelligence platform identifying vulnerable, malicious, or license-noncompliant dependencies. Nexus Repository acts as proxy/firewall for packages. Dedicated security research team manually finds malicious packages.
Analyzes changes between package versions
Start with the easiest, highest-value slice: pure Python (PyPI) and pure JavaScript (NPM) packages with no build step or minimal transpilation. Pull the published tarball, clone the tagged source repo, normalize whitespace and comments, and generate a visual diff report. Ship as a GitHub Action that runs on PR when dependencies change and comments with any discrepancies. Target open-source maintainers first (free tier) to build credibility and a public database of verified packages, then sell the enterprise monitoring dashboard. Ignore compiled/native packages entirely in V1.
Free GitHub Action for individual repos (marketing flywheel, builds public trust database) → Team plan at $49/mo for private repos and Slack/email alerts → Enterprise plan at $299-999/mo per org with CI/CD integration, policy engine, compliance reports, and API access → Platform play: sell the verified-package database as an API to other security tools (Socket, Snyk integrations)
3-5 months. Month 1-2: MVP GitHub Action for pure JS/Python packages, free tier, launch on Hacker News and r/programming. Month 2-3: Build public database of package verification results (content marketing). Month 3-5: First paying teams on $49/mo plan. Month 6-9: First enterprise pilot. The free-tier-to-paid funnel will be slow initially — consider a ProductHunt launch and leveraging the next supply chain incident for PR.
- “It's an Electron app. Can one not simple unpack app.asar”
- “First Axios library vulnerability report and now this”
- “source leaked via a map file”