alt Hacker NewsOpen-sourced a tool that catches this: compares npm tarballs against GitHub source. If deps exist in npm but not in git, it flags it.
Zero deps. One file. Already detects the hijacked maintainer email on the current safe version.
github.com/nfodor/npm-supply-chain-audit
You mean you vibe coded something.
"Zero deps. One file." People prefer hand-written comments over LLM-written ones.
"Already detects the hijacked maintainer email on the current safe version." You simply flag all proton email addresses.