Inspiration
Modern software moves fast because it is built on open-source dependencies, but that speed comes with hidden risk. A single compromised package can affect thousands of projects through direct and transitive dependencies. I was inspired by real supply chain attacks involving vulnerable packages, typosquatting, and suspicious maintainer takeovers, and I wanted to build something that helps developers catch those risks before they ship.
That idea became ShadowAudit. Instead of acting like a basic vulnerability checker, I wanted to answer a broader question: what is actually hiding in your dependencies? That led me to combine vulnerability scanning, maintainer monitoring, typosquat detection, AI-assisted behavioral analysis, and dependency graph visualization into one platform.
What it does
ShadowAudit is an AI-powered supply chain security scanner for npm and PyPI projects.
Users can upload or paste a package.json or requirements.txt file, and ShadowAudit will:
- Parse the dependency manifest and build a dependency tree
- Scan packages against the OSV vulnerability database
- Detect suspicious maintainer ownership changes
- Flag possible typosquatting against popular package names
- Run AI-assisted behavioral analysis on higher-risk packages
- Visualize the dependency graph and highlight risky nodes
- Store scan history and surface trends in a dashboard
- Let developers run the same scan from the terminal with a CLI
The result is a single workflow that helps developers understand not just whether a package is vulnerable, but also whether it looks suspicious and how much of the project it could impact.
How I built it
I built ShadowAudit as a full-stack application with a backend, frontend, and CLI.
The backend uses FastAPI, Python 3.11, and Supabase/PostgreSQL. It handles dependency parsing, CVE checks, maintainer-risk analysis, typosquat detection, AI-assisted behavior analysis, scan persistence, and dashboard aggregation. For package intelligence, I integrated the OSV API, the npm registry, and the PyPI API.
The frontend uses Next.js 14, TypeScript, Tailwind CSS, shadcn/ui, and D3.js. I built a dark, security-focused interface with a scan flow, detailed results page, dashboard, and interactive dependency graph that helps users understand blast radius visually.
I also built a Node.js CLI so developers can run scans directly from the terminal using the same backend. On top of that, I added Docker-based deployment, CI workflows, fixtures, and end-to-end testing so the product feels like a real, deployable tool rather than just a concept.
Challenges I ran into
One of the biggest challenges was separating meaningful risk signals from noisy data. Package registries contain inconsistent metadata, and simple heuristics can create false positives. Not every maintainer change is suspicious, and not every similar package name is a typosquat. I had to refine the logic so the findings stayed useful and credible.
I also ran into rate limiting issues when resolving dependency trees and querying external registries. Some APIs returned 429 Too Many Requests errors when too much metadata was requested too quickly. I addressed that by reducing redundant calls, limiting concurrency, and making the system degrade gracefully instead of failing outright.
Another challenge was AI reliability. Large language models are powerful, but their output is not always perfectly structured. I had to build fallback handling so that even if the AI step failed, the scan still completed and returned useful results.
On the frontend side, making the dependency graph interactive, readable, and stable across real data and smaller screens took more iteration than expected.
Accomplishments that I'm proud of
I’m proud that ShadowAudit goes beyond basic CVE scanning and looks at software supply chain risk from multiple angles. Instead of only showing vulnerability lists, it helps explain why a package may be risky and how deeply it affects the rest of the project.
I’m also proud that I built a polished end-to-end product, including:
- A web app with upload, scan, results, graph, and dashboard flows
- A CLI that uses the same backend for terminal-based scanning
- An interactive dependency graph with blast-radius exploration
- Error handling, loading states, validation, Docker deployment, and CI
Bringing all of those pieces together into one cohesive experience was one of the most rewarding parts of building the project.
What I learned
I learned that software supply chain security is about much more than known vulnerabilities. Trust, behavior, package history, and dependency relationships all matter. A package can have no reported CVEs and still look risky because of suspicious ownership changes or unusual install behavior.
I also learned how important graceful degradation is in real systems. External APIs fail, registries return incomplete data, AI calls time out, and users provide messy input. Building ShadowAudit pushed me to think beyond features and focus on resilience.
Most importantly, I learned that security tools need to be explainable. Developers trust results much more when they can see the package, the finding, the reason, the risk score, and the dependency graph all in one place.
What's next for ShadowAudit
The next step is to make ShadowAudit even more practical for real development workflows. I want to support lockfiles such as package-lock.json, pnpm-lock.yaml, poetry.lock, and pinned Python dependency files, because real risk depends on resolved versions, not just top-level manifests.
I also want to bring ShadowAudit into CI/CD by adding GitHub Actions support and pull request comments so teams can scan dependency risk automatically on every commit. Beyond that, I want to add SBOM export, private registry scanning, policy-based blocking for risky dependencies, and automated remediation suggestions.
Long term, I see ShadowAudit becoming a developer-friendly supply chain security layer that helps teams catch risky dependencies earlier, understand blast radius faster, and make safer dependency decisions without slowing down development.
Built With
- chatgpt
- css
- python
- react
- supabase
- tailwind
- typescript
Log in or sign up for Devpost to join the conversation.