
Security News
PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.
@dreamhorizonorg/sentinel
Advanced tools
Open-source, zero-dependency tool that blocks compromised packages BEFORE download. Built to counter supply chain and credential theft attacks like Shai-Hulud.
A secure wrapper for npm, yarn, pnpm, and bun that prevents installation of compromised packages.
Built to counter supply chain attacks like the Shai-Hulud npm worm.
Supply chain attacks have surged dramatically in recent years, with the npm ecosystem being a prime target:
npm audit and Dependabot scan AFTER installation - too late to prevent credential theftSentinel is a free, open-source, zero-dependency tool that intercepts package manager commands locally on your machine to block installation BEFORE download.
| Feature | npm audit | Snyk (free) | Dependabot | Socket.dev | Phylum.io | Sentinel |
|---|---|---|---|---|---|---|
| Blocks before download | ❌ | ❌ | N/A | ⚠️ Platform | ⚠️ Platform | ✅ Local-only |
| No SaaS/account required | ✅ | ❌ | N/A | ⚠️ Free tier | ⚠️ Free tier | ✅ |
| Shell alias integration | ❌ | ❌ | N/A | ❌ | ❌ | ✅ |
| Multi-PM (npm/yarn/pnpm/bun) | ❌ | ✅ | ❌ | ⚠️ npm focus | ⚠️ varies | ✅ |
| Zero npm dependencies | ✅ | ❌ | N/A | ❌ | ❌ | ✅ |
| Open source | ✅ | ❌ | Partial | ❌ | ❌ | ✅ |
| Cost | Free | Freemium | Free | Freemium | Freemium | Free |
| Transparent (no workflow changes) | ✅ | ❌ | ✅ | ⚠️ varies | ⚠️ varies | ✅ |
Note: Comparison based on publicly available information as of November 2024. Features and pricing may vary.
| Method | Best For | Command |
|---|---|---|
| npm Global | Individual developers | npm install -g @dreamhorizonorg/sentinel |
| Dev Dependency | Team projects, CI/CD | npm install --save-dev @dreamhorizonorg/sentinel |
| Git Clone | Development, contributing | git clone https://github.com/ds-horizon/sentinel.git && cd sentinel && ./bin/install.sh |
# Install from npm
npm install -g @dreamhorizonorg/sentinel
# Verify installation
sentinel status
# Set up shell aliases for automatic validation
sentinel add aliases
# Reload shell
source ~/.zshrc # or ~/.bashrc
# (Optional) Create config file in your project
cd your-project
sentinel init
# Use normally - validation happens automatically
npm install package-name
yarn add package-name
# To uninstall later
sentinel remove aliases
npm uninstall -g @dreamhorizonorg/sentinel
# Install in your project
npm install --save-dev @dreamhorizonorg/sentinel
# Initialize config file
npx @dreamhorizonorg/sentinel init
# Use for scanning
npx @dreamhorizonorg/sentinel scan
# Clone and install
git clone https://github.com/ds-horizon/sentinel.git
cd sentinel
./bin/install.sh
# Reload shell
source ~/.zshrc # or ~/.bashrc
# Use normally - validation happens automatically
npm install package-name
yarn add package-name
📖 For more options (CI/CD setup, advanced configuration), see the Usage Guide.
Developer: npm install package-name
↓
Sentinel intercepts (via shell alias)
↓
Validation BEFORE download:
├─ Local blacklist (~800 known malicious packages)
├─ OSV database (real-time)
├─ GitHub Advisories (real-time)
└─ npm audit (optional fallback)
↓
├─ Compromised → BLOCK ❌
└─ Safe → Install ✅
Example - Blocked package:
$ npm install malicious-package
⚠️ BLOCKED: malicious-package@1.2.3
Reason: Shai-Hulud worm - credential theft
Source: Local blacklist
Installation aborted. No packages were downloaded.
📖 For provider configuration, see docs/PROVIDERS.md. For data sources, see docs/DATA_SOURCES.md.
| Package Manager | Support | Auto-Validation | Lockfile Scanning |
|---|---|---|---|
| npm | ✅ Full | ✅ Yes | ✅ package-lock.json |
| yarn | ✅ Full | ✅ Yes | ✅ yarn.lock (v1 + v4) |
| pnpm | ✅ Full | ✅ Yes | ✅ pnpm-lock.yaml (v5 + v6) |
| bun | ✅ Full | ✅ Yes | ✅ bun.lock (v1.2+) |
Note: Bun's binary lockfile (
bun.lockb) is not supported. Use the text-basedbun.lockformat (default in Bun v1.2+) or runbun install --save-text-lockfileto migrate.
Minimal impact:
For most installs: <1 second overhead. You can disable network checks with --skipNpmAudit=true --enableOsv=false --enableGitHub=false for faster scans using only the local blacklist.
Yes! Add to your CI pipeline:
- name: Install dependencies
run: npm ci
- name: Scan for compromised packages
run: npx @dreamhorizonorg/sentinel scan
This provides defense in depth: lockfiles + validation.
Sentinel checks multiple sources: local blacklist (~800 packages), OSV (100k+ vulnerabilities), GitHub Advisories, and npm audit (when scanning projects with lockfiles). If a zero-day package isn't in any database yet, add it to your custom blacklist or report it to the community.
The local blacklist contains specific compromised versions of packages. If you're using a different version that's not listed in the compromisedVersions array, the scan will pass. For example, if package-name@1.2.3 is marked as compromised but you're using package-name@1.2.4 (a patched version), Sentinel will allow the installation. Always ensure you're using a version that has been patched and verified as safe.
See Troubleshooting Guide for detailed information about:
No Telemetry: Sentinel itself sends zero telemetry and never uploads your dependency graph or package information. However, when using third-party vulnerability providers (OSV and GitHub Advisories), these services may collect API usage information including package names and versions queried. For complete privacy, you can disable network providers and use only the local blacklist with --enableOsv=false --enableGitHub=false.
Contributions are welcome! See CONTRIBUTING.md for guidelines.
MIT License - see LICENSE for details.
FAQs
Open-source, zero-dependency tool that blocks compromised packages BEFORE download. Built to counter supply chain and credential theft attacks like Shai-Hulud.
The npm package @dreamhorizonorg/sentinel receives a total of 9 weekly downloads. As such, @dreamhorizonorg/sentinel popularity was classified as not popular.
We found that @dreamhorizonorg/sentinel demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.

Security News
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.

Research
/Security News
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.