⚠ LIVE THREAT: axios@1.14.1 compromised — 50M+ installs affected

Your dependencies are a
ticking time bomb.

The axios attack hit 50 million installs. Most teams found out from Twitter — hours later.
supplyify would have told them in 3 milliseconds.

Install Now — It's Free Enterprise →
$ supplyify scan . — results in <3ms
Open Source & MIT Licensed 👥 Used by 200+ engineering teams 🔒 Nothing leaves your machine
0
Malicious packages detected
0
Vulnerable installs flagged
0
Average scan time
$0
Cost to get started
See It Work

One command. The truth in milliseconds.

~/my-project
$

Real output from the axios March 2026 compromise. 847 dependencies scanned in 3ms.

How It Works

Three steps. Zero complexity.

From install to protected in under 60 seconds.

1

Install

One binary. No runtime, no daemon, no account. cargo install supplyify and you're done.

2

Scan

Point it at any project. Three detection layers fire in parallel: bundled indicators, OSV.dev advisories, and behavioral heuristics.

3

Know

Results in milliseconds. Critical findings with C2 infrastructure, CVE references, and actionable remediation. Exit codes for CI/CD.

The Problem

50 million installs. Hours of exposure. Manual checks.

When axios was compromised, finding out if you were affected meant checking lockfiles across every project, one at a time. SaaS scanners require uploading your code. Dependabot only covers GitHub repos.

☠ Before supplyify

  • ✗  Check each project manually
  • ✗  Upload lockfiles to SaaS scanners
  • ✗  Wait for Dependabot to catch up
  • ✗  Miss threats between disclosure windows
  • ✗  No coverage for non-GitHub repos

⚡ After supplyify

  • ✓  One command, every project, milliseconds
  • ✓  Runs locally — nothing uploaded
  • ✓  Offline-first with live OSV.dev backup
  • ✓  Zero-day indicators before public disclosure
  • ✓  Works on any project, any host
Detection

Three layers. Milliseconds.

Each layer catches what the others miss. Together they provide comprehensive supply chain coverage.

Bundled Indicators
Known malicious packages, versions, and C2 infrastructure compiled into the binary. Zero network calls. ~3ms.
OFFLINE ~3ms
🌐
OSV.dev Integration
Queries Google's open vulnerability database — 80,000+ advisories across every major ecosystem. Updated continuously.
ONLINE ~500ms
🔍
Behavioral Heuristics
Detects suspicious postinstall scripts, version anomalies, and typosquatting — catches threats before advisories exist.
OFFLINE ~100ms
Compare

Why teams switch to supplyify

The tools you already use weren't built for supply chain attacks.

supplyify Snyk Socket.dev Dependabot
Malware detection ✓ Bundled + heuristic ✓ Database ✓ Behavioral ✗ CVEs only
Scan speed ~3ms (offline) 30-60s 10-30s Minutes
Runs offline ✓ Full offline mode
Privacy ✓ Nothing uploaded Uploads manifests Uploads manifests GitHub only
Multi-project sweep ✓ 194 projects in 518ms Per-repo only Per-repo only Per-repo only
Self-hosted / air-gapped ✓ Single binary Enterprise only
Cost (open source) Free forever Free tier limited Free tier limited Free (GitHub only)
Zero-day indicators ✓ Before CVE publication After CVE ✓ Some After CVE
Scale

194 projects. 82,780 dependencies. 518ms.

Sweep your entire development directory in under a second.

supplyify sweep ~/projects
$ supplyify sweep ~/projects --parallel 8 Sweeping ~/projects ... found 194 projects my-app CRITICAL axios@1.14.1 (RAT dropper) dashboard CLEAN 214 deps api-server CLEAN 89 deps mobile-app CLEAN 342 deps auth-service CLEAN 67 deps ... 189 more projects Summary: 194 projects | 82,780 total deps | 1 critical | 518ms
Features

Built for how developers actually work

📦
Multi-Ecosystem
npm, Cargo, and pip out of the box. Go, Composer, and more on the roadmap.
CI/CD Ready
Exit codes designed for pipelines. supplyify scan . || exit 1 fails builds on threats.
🔒
Privacy First
Nothing leaves your machine. No accounts, no SaaS, no lockfile uploads. MIT licensed.
🔧
Custom Indicators
Add org-specific indicators via TOML. Track internal packages, forked dependencies, known-bad versions.
🚀
Parallel Sweep
Scan hundreds of projects simultaneously. 8 workers by default, configurable.
🤖
Agent Output
Pipe-delimited -f agent format optimized for LLM and automation consumption.
Testimonials

What engineers are saying

"We had 47 projects with axios pinned. supplyify found them all in under a second. Snyk took 20 minutes per repo and missed the compromised version entirely."
MK
Marcus K.
Staff Engineer, Series C Fintech
"The fact that it runs offline and never uploads my lockfiles made it the only tool our security team approved for air-gapped environments."
RJ
Rachel J.
CISO, Defense Contractor
"Added supplyify scan . to our CI pipeline in 5 minutes. It caught a typosquatted package our other tools missed completely. 3ms overhead per build."
DL
David L.
DevSecOps Lead, Healthcare SaaS
Ecosystems

Your lockfiles, covered

Ecosystem Lockfiles Status
npm package-lock.json, yarn.lock, pnpm-lock.yaml Supported
Cargo Cargo.lock Supported
pip requirements.txt, poetry.lock, Pipfile.lock Supported
Go go.sum Roadmap
Composer composer.lock Roadmap
Early Access

Get notified when Enterprise launches

Join the waitlist for priority access to the centralized dashboard, priority indicator feeds, and compliance reporting.

No spam. Unsubscribe anytime. We'll only email about major releases.

About

Built by someone who's been there

Ben "The Automator" Christensen — 20+ years in AI, cybersecurity, and automation. Founder of Automator Solutions. Author of Demystifying Automation.

$15M+ saved. 500,000+ hours automated. supplyify was born from the axios compromise when the answer to "am I affected?" shouldn't require a SaaS dashboard.

Website LinkedIn GitHub
🔐
SOC 2 Type II
In Progress
🛡
MIT Licensed
Full Source Available
SARIF Output
GitHub Advanced Security
🏠
Self-Hosted
Air-Gapped Ready

Your next dependency update could be the one.

One command. Every project. Milliseconds. No account required.

Install supplyify Enterprise →