Over the last few weeks, supply chain security has once again become a very real problem for developers.
We keep seeing the same attack pattern:
CI/CD token stolen
→ malicious package version published
→ developers install or update dependencies
→ compromised code lands on real machines
And the worst part is simple:
You may already have one of those compromised packages on your machine without knowing it.
That is why I built LibKill.
What is LibKill?
LibKill is an open-source supply chain security scanner.
It checks your local development environment against a database of known compromised package artifacts.
Currently, it scans:
- npm global packages
- pip packages
- Bun cache
Then it cross-references what it finds against 2,672+ known compromised package artifacts.
If something suspicious is detected, LibKill can help you remove it interactively.
Why I built it
Most developers hear about compromised packages after the damage is already done.
A package gets reported.
A malicious version is removed.
A GitHub advisory appears.
A security company publishes an analysis.
But then comes the real question:
“Is any of this already on my machine?”
That question should be easy to answer.
LibKill is my attempt to make that check fast, local, and simple.
Features
LibKill currently supports:
- Scanning npm global packages
- Scanning installed pip packages
- Scanning Bun cache
- Cross-checking against known compromised artifacts
- Interactive removal when threats are found
- Background daemon mode
- Desktop notifications
- macOS, Linux, and Windows support
- Single binary
- Zero runtime dependencies
It is written in Go and distributed as a small standalone binary.
Installation
You can install it with one command:
curl -fsSL https://raw.githubusercontent.com/firfircelik/libkill/main/install.sh | bash
Or build it manually:
git clone https://github.com/firfircelik/libkill.git
cd libkill
make install
Example usage
After installation, run:
libkill scan
To start background monitoring:
libkill daemon
If compromised artifacts are found, LibKill will show the results and offer interactive cleanup options.
Threat coverage
LibKill currently covers known compromised artifacts related to campaigns and threat clusters such as:
- Mini Shai-Hulud
- Contagious Interview
- StegaBin
- SANDWORM_MODE
- CanisterWorm
- W4SP
- TeamPCP
- and many others
The threat database is built from public security sources including:
- Socket.dev
- GitHub Advisory Database
- OSV.dev
- Public security research
Why local scanning matters
A lot of supply chain security tools focus on repositories, lockfiles, or CI pipelines.
That is useful, but it does not fully answer what is already installed locally.
Developers often install tools globally.
They test packages.
They use temporary scripts.
They work across multiple languages and package managers.
They forget what was installed weeks ago.
A compromised package does not need to be in your current production repository to be a problem.
It may already exist somewhere in your local environment.
Project details
- Language: Go
- License: MIT
- Binary size: around 14 MB
- Dependencies: zero runtime dependencies
- Platforms: macOS, Linux, Windows
GitHub:
https://github.com/firfircelik/libkill
Final note
LibKill is still evolving.
My goal is to make it a practical local security tool for developers who work with open-source packages every day.
If you work with npm, Python, Bun, or modern JavaScript tooling, you should not have to guess whether a known compromised artifact exists on your machine.
You should be able to check it quickly.
That is what LibKill is for.
Feedback, issues, and contributions are welcome.
curl -fsSL https://raw.githubusercontent.com/firfircelik/libkill/main/install.sh | bash
Top comments (0)