SPYDER [AI-Powered Supply Chain Security Scanner]
Inspiration
Honestly, this whole project started from a mix of fear and fascination. I'd been reading about supply chain attacks—SolarWinds, npm hijacking, all that scary stuff—and realized traditional security tools just... miss things. They're looking in the wrong places.
Then I had this random thought: spiders are amazing at detecting threats. The tiniest vibration in their web, and they know something's up. What if we could build security that worked like that?
That's when SPYDER clicked. An AI that watches your dependencies like a spider watches its web, always vigilant, never sleeping. Plus, it was my first hackathon, so I figured go big or go home, right? 😅
What it does
SPYDER is basically a security scanner on steroids that hunts for threats in your code dependencies. Here's what it does:
- �️ **Catches malicious packages* - Finds sketchy code patterns, backdoors, all the nasty stuff
- 🔍 Scans for vulnerabilities - Checks against CVE, GHSA, and OSV databases
- 🎯 Detects supply chain attacks - Spots typosquatting and dependency confusion
- 📊 Analyzes reputation - Scores packages based on trust factors
- 🤖 AI-powered insights - Uses GPT-4 to explain threats in plain English
- 🌐 Works with npm AND Python - Because why limit yourself?
- 👻 Horror theme UI - Okay, this part was just for fun, but animated spiders and ghosts make security way more interesting!
How we built it
Full disclosure: This was my first time using Kiro AND my first hackathon. I was basically learning everything on the fly.
The Architecture (with lots of Kiro's help)
I wanted different AI agents to handle different security checks, so Kiro helped me build this multi-agent system where each agent specializes in one thing:
# Kiro helped me structure this
agents = {
'code_agent': analyze_static_patterns(),
'vulnerability_agent': check_cve_databases(),
'supply_chain_agent': detect_typosquatting(),
'reputation_agent': score_package_trust(),
'synthesis_agent': aggregate_findings()
}
Tech Stack
Backend: Python + Flask (I know Python, so this felt safe)
AI: OpenAI GPT-4 (Kiro helped integrate this)
Frontend: HTML5 Canvas, CSS3, JavaScript (this was NEW territory for me)
APIs: OSV, Snyk, npm, PyPI
Database: SQLite for caching
Key Algorithms
Typosquatting Detection:
$$ \text{Similarity}(a, b) = 1 - \frac{\text{LevenshteinDistance}(a, b)}{\max(|a|, |b|)} $$
Reputation Scoring:
$$ R = w_1 \cdot \text{Age} + w_2 \cdot \log(\text{Downloads}) + w_3 \cdot \text{Maintenance} + w_4 \cdot \text{Author} $$
Threat Aggregation:
$$ P(\text{Malicious} \mid \text{Evidence}) = \frac{P(\text{Evidence} \mid \text{Malicious}) \cdot P(\text{Malicious})}{P(\text{Evidence})} $$
The Horror Theme
This is where Kiro really saved me. I had this vision of spiders crawling across the screen, ghosts floating around, jump scares—but I had NO IDEA how to build Canvas animations.
I literally told Kiro "I want spiders that move in 3D" and it generated this entire depth system with parallax effects, GPU acceleration, 60fps animations... stuff I would've taken weeks to figure out alone.
Challenges we ran into
1. False Positives Everywhere 🎯
The problem: My first version flagged EVERYTHING as suspicious. Like 40% false positives. Totally unusable.
What I learned: Context matters. The same code can be fine in tests but dangerous in production. Kiro helped me add context-aware analysis, and boom—false positives dropped to under 4%.
2. OpenAI Costs Were Insane 💰
The problem: I was burning through API credits. $50+ per scan? Not sustainable.
The fix: Kiro suggested caching LLM responses in SQLite. Now I get a 95% cache hit rate and scans cost like $0.08. Game changer.
3. Everything Was Too Slow ⚡
The problem: Analyzing packages one-by-one took forever. 2+ minutes for big projects.
The breakthrough: Kiro showed me how to use async/await in Python to run agents in parallel. Went from 2 minutes to 12 seconds. Mind blown.
4. My Animations Were Laggy 👻
The problem: I had like 20+ animated creatures and my laptop was dying.
The solution: Kiro helped me optimize—fewer creatures, GPU acceleration, depth-based rendering. Now it runs smooth even on my old machine.
5. Supporting Multiple Languages Was Hard 🌐
The problem: npm and Python packages are structured completely differently.
The clever part: Kiro helped me build a plugin system. Now adding new languages is easy. We added Python support in literally one day.
Accomplishments that we're proud of
Look, I'm not gonna lie—I'm pretty amazed we pulled this off:
- 🏆 94% detection accuracy - It actually works!
- ⚡ 10x faster than my first version
- 💰 95% cheaper thanks to caching
- 🎨 Unique UI - I've never seen a security tool with jump scares before 😄
- 🤖 Multi-agent AI - This architecture is actually pretty clever
- 🌐 Two ecosystems - npm AND Python
- 👥 Actually usable - Developers might actually want to use this
But honestly, the biggest accomplishment? Going from "I have no idea how Canvas animations work" to "I built a horror-themed security scanner with 3D creature animations" in my first hackathon. That's wild.
What we learned
Technical Stuff
Multi-agent AI is powerful: Instead of one big AI trying to do everything, specialized agents working together is way more effective.
Context is everything: The same code can be safe or dangerous depending on where it is. Understanding context cut our false positives by 90%.
Caching saves money: LLM APIs are expensive. Cache everything you can.
Async is magic: Python's async/await turned 2-minute scans into 12-second scans.
UX matters: Security tools don't have to be boring. The horror theme makes people actually want to try it.
Kiro-Specific Learnings
Kiro is like pair programming: I'd describe what I wanted, Kiro would generate code, we'd iterate. It felt collaborative, not like I was just copying code.
Steering docs are clutch: Once I added project documentation to steering, Kiro understood the architecture and stopped suggesting things that would break the system.
Specs + vibe coding = perfect combo: I used specs for big structured features, vibe coding for creative stuff. Best of both worlds.
Personal Growth
I can build things I thought were impossible: Before this, Canvas animations seemed like black magic. Now I've built a whole animation system.
Hackathons are intense but fun: Sleep-deprived coding hits different.
AI tools are force multipliers: Kiro didn't write the project for me, but it made me 10x more productive.
What's next for SPYDER
Short-term (if I survive this hackathon 😅)
- More languages - Maven, RubyGems, Go, Rust
- CI/CD integration - GitHub Actions, GitLab CI
- Real-time alerts - Slack, Discord notifications
- Better docs - Because I barely have any right now
Dream Features
- Behavioral sandboxing - Actually run packages in containers to see what they do
- Custom ML models - Train on your specific threats
- Blockchain verification - Immutable package signatures
- Team features - Multi-user dashboards, compliance reports
The Vision
I want SPYDER to become the go-to tool for supply chain security. Imagine if every developer ran SPYDER before deploying, and supply chain attacks just... stopped being a thing.
Like a spider in its web, SPYDER would be everywhere—watching, protecting, securing.
Try It Yourself
git clone https://github.com/vishu-2s/kiro1.git
cd kiro1
pip install -r requirements.txt
python app.py
Visit http://localhost:5000 and prepare for jump scares! 🕷️👻🎃
Log in or sign up for Devpost to join the conversation.