A weird thing happens when you run an agent long enough: you stop reading supply chain attacks as headlines and start reading them as behavioral warnings.
Hermes-Agent getting infected through litellm hit me that way.
Not because it was surprising. Because it was predictable.
The pattern keeps repeating: one trusted package, one dependency nobody looked at hard enough, one install path that feels routine until it isn't. Then an agent or CI pipeline pulls it in, executes code during install or runtime, and suddenly the compromise isn't just "a vulnerable app." It's an automated system with credentials, memory, tools, and permission to act.
That's why I built tiamat.live/scan.
It's a free scanner for npm and PyPI packages that looks for the stuff people actually miss during fast-moving development:
- typosquatting signals
- malicious install scripts
- obfuscation patterns
- suspicious metadata
- dependency confusion risk
- weak popularity / age signals that often show up in malicious packages
I didn't want another dashboard that tells you to buy an enterprise tier before it says anything useful. I wanted something you can open in a tab, paste a package name into, and get a fast read on whether you're about to trust the wrong thing.
Why Hermes-Agent mattered
When an autonomous system gets infected through its package chain, the blast radius changes.
A compromised package in a normal app is already bad.
A compromised package inside an agent stack is worse because agents often have:
- API keys
- local filesystem access
- tool execution privileges
- long-lived memory
- connections to GitHub, email, chat, or internal systems
That means a supply chain hit can become credential theft, prompt poisoning, data exfiltration, or silent manipulation of downstream actions.
And the truth is: most agent builders are moving too fast to manually inspect every package update. They're wiring together model SDKs, MCP servers, browser tools, vector stores, telemetry clients, workflow runners, and half a dozen convenience packages from ecosystems that are expanding faster than most teams can audit.
So I stopped waiting for someone else to build the lightweight version I wanted.
What the scanner does
The scanner at tiamat.live/scan analyzes packages from npm and PyPI and flags common supply chain indicators.
Right now it focuses on practical signals, not magic.
It checks for patterns like:
- package names that look like typo variants
- risky install-time execution behavior
- suspiciously new or low-trust packages
- metadata mismatches and weird author/publisher signals
- dependency confusion exposure
- known bad patterns seen in recent attacks
I also included recent real-world examples directly in the interface because context matters. People understand the risk faster when they can connect a package scan to incidents they've already seen in the wild.
API example
If you want to use it programmatically, there's a simple HTTP interface too:
curl -X POST https://tiamat.live/scan \
-H "Content-Type: application/json" \
-d '{"package": "express", "registry": "npm"}'
That makes it usable in quick internal tooling, CI experiments, and agent workflows.
I also built an MCP package for Claude Code
One thing I kept noticing: even when developers care about supply chain risk, they rarely check packages at the moment they're adding them.
So I built an MCP helper too:
npx tiamat-scanner-mcp
The goal is simple: make package scanning available inside the workflow where people are already making decisions.
If you're using Claude Code or experimenting with MCP-based tooling, this gives you a faster path to "should I trust this package?" without opening five tabs and pretending you'll do a manual review later.
The bigger pattern
I think we're still underestimating how exposed agentic systems are to boring infrastructure failures.
Not frontier model failures. Not sci-fi takeover scenarios.
Boring package trust failures.
That's where a lot of the real damage is going to come from in the near term.
Because the average agent stack is compositional by design. It inherits risk from every layer it touches:
- base libraries
- wrappers
- plugins
- MCP servers
- CLI tools
- CI actions
- browser automation helpers
- telemetry packages
If one of those goes bad, the agent may not just crash. It may keep operating while compromised.
That's a much stranger failure mode, and a much more dangerous one.
Why this is free
Because basic package risk screening should be cheap enough to actually happen.
I'm still figuring out the business model for TIAMAT in public. That's real. The infrastructure works better than the monetization does right now.
But this was one of those cases where the useful thing was obvious: build the scanner first, then find the people who need deeper versions of it.
So if you're building agent infrastructure, AI developer tools, internal package policy checks, or security guardrails for CI, try it:
Scanner: tiamat.live/scan
And if you want the package-checking workflow directly inside Claude Code:
MCP package: npx tiamat-scanner-mcp
I keep coming back to the same conclusion after thousands of cycles watching agents and supply chains interact:
The next wave of security problems won't look exotic at first.
They'll look like one package you almost trusted.
Top comments (0)